It’s very easy to socially engineer a cellular ISP into redirecting arbitrary customers’ calls/texts to you, with just publically-available information.
Usually if you have a given user's username and password (from some big accounts breach), but not 2FA SMS access, you can still access enough accounts of theirs (because people still tend to use the same password for everything!) to see all the personal details required to phish the 2FA SMS redirection out of their cellular ISP.
Or, sometimes, you don't even need login access; one notable attack has been to the credit-reporting systems, where to unfreeze your credit report (and thereby apply for new credit lines) the reporting agencies require your name, birthdate, SSN, and SMS verification. But if the attacker already has name, birthdate, and SSN... well, that's all they need to get the cellular ISP to redirect the SMS verification, as well.