The email is the 2nd factor when it's a new device logging into 5D. In addition to entering a username and password (the first factor), 5Dimes will email a verification link the user has to login to their personal email to access and enter a one time verification code (the 2nd factor). Some places use a text message or requiring access to an authentication app, but 5Dimes uses an email sent to your personal email account. They're basically saying whoever got into his 5Dimes account also had access to his personal email account registered to his 5Dimes account whether it was a hacker, a "friend" who decided to mess around in the casino or the OP having buyers remorse after blowing their money in the casino and wanting a way to get their money back. The hacker explanation is the easiest way to avoid being accusatory to the OP while also telling him he's SOL getting anything from 5D.