I don’t mean to say it was OP’s fault but you shouldn’t really use your primary phone number for 2FA anyways. Using a burner dumb phone dedicated only for 2FA should be standard, right?
It turns out the hacker stole a dealer's ID which meant the OTP sent to my phone was never needed / used. The dealer id overrides the need for a password.