Locking withdrawals to predefined addresses or disabling withdrawals for currencies is a good security improvement in itself, but it will only be a true security improvement if you lock all addresses for all currencies.
In this case, an account's credentials were to be compromised and if only some currencies have locked addresses while leaving others unlocked, an attacker would still be able to withdraw funds to an address under his control for one of the currencies not set to a locked address. The attacker could simply exchange the funds in the account to a currency not set to a locked address and withdraw.
If you wish to increase the level of security of your account by locking addresses, this will only help if all addresses are locked. We strongly suggest that you will review the locked withdrawal address settings on your account.
Sample Set Up
We also wish to point out that unlocking or changing a locked withdrawal address of your Ethfinex account triggers an automatic withdrawal hold of 5-days for all currencies. During this period no withdrawals will be processed. This 5-day withdrawal hold is only applied when re-enabling disabled withdrawals for a currency or when modifying an existing whitelisted address. This is because it marginally reduces your withdrawal security.
There is no 5-day hold applied when disabling withdrawals or adding whitelisted addresses since these actions marginally increase withdrawal security.
These holds are an essential part of why the locked addresses help improve security. In case an account was to get compromised and the attacker would want to withdraw to an address under his control, he could unlock withdrawals for a currency. However, he will not be able to quickly transfer funds out to a new address, because of the 5-day security hold. The account owner would have a chance to notice the breached security during this 5-day period and would be able to freeze his account.
If you need to make a withdrawal to a new address keep this in mind and be aware you will not be able to do so for 5 days after making a change to the locked addresses.