The only thing I'd add to the other comment (by babelfish) is: I'm not sure from your description whether your email account itself was compromised or merely an account on some site that is connected to your email (for example, a hacker news account which you used that email address to sign up with).
If the email account itself was compromised, then you should also check any account that you signed up for using that email address, to make sure that you still have access (because if someone had access to your email, they could have used it to reset the password on those other sites).
Change your password, change the password of any other site where you use a variation of that password, and enable 2FA on all your accounts. Use a password manager and change your passwords to longer randomly-generated ones over time (most password managers make this easy).
I did this on all of my accounts over the course of a month. Finally having an inventory of my accounts made it that I could change the email on all accounts over a weekend.
I'm shell shocked and now have a chemical dependency on locking things down. All of my machines now use ssh keys+passphrase and I no longer put any unencrypted traffic over LAN. Obviously there is a source of stress in my life.
2FA is such a hassle that IMHO it's only worth it for high-stake accounts. 20+ characters long random passwords are totally adequate security for most accounts and you don't get constantly harassed by 2FA prompts.
WebAuthn prompts aren't a big hassle. On this desktop I reach over and touch the Security Key, on my phone I tap the fingerprint sensor. Because the phone is entitled to set UV since it knows that's my fingerprint not somebody else picking up the phone, they could replace the password step which is more annoying.
WebAuthn is good, easy to use, quick to complete, and more secure than "enter the number we send you", so I like it. Unfortunately most services (that I use, anyway) are stuck in the "let's make you wait 1-2 minutes for a SMS" or "use our/your authenticator app". I find this especially annoying in conjunction with services that seem to use "risk-based authentication", because using an adblocker and anti-fingeprinting = extreme maximum risk for those, i.e. let's force 2FA auth for every action even after five minutes (sometimes, seconds!).
And as far as RBA goes, if they don't go full-2FA, they'll often somehow go for password instead of second factor to verify. I tend to keep my password manager locked when not in active use, so that's more hassle for me on services that DO use WebAuthn (Github, Google) than if they'd just use WebAuthn for the "high risk action" verification.
2FA is more than adequate on its own in a lot of cases: Attackers tend to go for low lying fruit.
Also, how worried you need to be depends on what you use the account for... People go off the deep end about securing every single account like it's Fort Knox, but you need to consider what is at risk if a given account is compromised, and what damage could be done with it.
Obviously look out for targeted phishing from people who know that you have a registration with a particular site. But if you're on HN, that might go without saying.
If the email account itself was compromised, then you should also check any account that you signed up for using that email address, to make sure that you still have access (because if someone had access to your email, they could have used it to reset the password on those other sites).