This is cold comfort, but the system itself has major vulnerability since 2FA utilizes an inherently unsecure and easily cross-referenced point of entry for hackers-our phone numbers. It's still more secure than not having 2FA, but improvements are needed.
I posted on Net54 this year a thesis that 2FA tied to your device, not your phone provider account, is in fact what was originally intended. Slowly, creakily, the tech world is headed in that direction with apps like Authy that provide a push notification you simply allow or deny access with. Paypal recently added it so I highly recommend adding it there. Cryptocurrency heists are driving the evolution in identity theft security solutions.
You should run your email through the "pwned" searcher to check if it's been caught up in a data breach. The best course of action if it comes back red, unfortunately, is to abandon the account.
https://haveibeenpwned.com/
https://net54baseball.com/showthread.php?t=296679
https://authy.com/blog/two-factor-au...tter-security/