What it feels like to lose control of your entire digital identity
When someone takes over your accounts, it’s hard to get them back.
Two (or multi) -factor authentication is the best way to go for protecting accounts. But it must be implemented correctly. If an account is ties to a phone number, like in this case, the second factor must NOT be tied to the same number. In this case the verification code was sent in an SMS that, of course, is ties to the compromised phone number.
The correct implementation is using another channel for the authentication, for example Google Authenticator or similar. If this had been used it would not have been enough with compromising the phone number. The hacker must have access to the actual phone, and that would prevent simple hacks like described in this post.