[babelfish]

Change your password, change the password of any other site where you use a variation of that password, and enable 2FA on all your accounts. Use a password manager and change your passwords to longer randomly-generated ones over time (most password managers make this easy).

[willis936]

I did this on all of my accounts over the course of a month. Finally having an inventory of my accounts made it that I could change the email on all accounts over a weekend.

I'm shell shocked and now have a chemical dependency on locking things down. All of my machines now use ssh keys+passphrase and I no longer put any unencrypted traffic over LAN. Obviously there is a source of stress in my life.

[formerly_proven]

2FA is such a hassle that IMHO it's only worth it for high-stake accounts. 20+ characters long random passwords are totally adequate security for most accounts and you don't get constantly harassed by 2FA prompts.

[tialaramex]

WebAuthn prompts aren't a big hassle. On this desktop I reach over and touch the Security Key, on my phone I tap the fingerprint sensor. Because the phone is entitled to set UV since it knows that's my fingerprint not somebody else picking up the phone, they could replace the password step which is more annoying.

[formerly_proven]

WebAuthn is good, easy to use, quick to complete, and more secure than "enter the number we send you", so I like it. Unfortunately most services (that I use, anyway) are stuck in the "let's make you wait 1-2 minutes for a SMS" or "use our/your authenticator app". I find this especially annoying in conjunction with services that seem to use "risk-based authentication", because using an adblocker and anti-fingeprinting = extreme maximum risk for those, i.e. let's force 2FA auth for every action even after five minutes (sometimes, seconds!).

And as far as RBA goes, if they don't go full-2FA, they'll often somehow go for password instead of second factor to verify. I tend to keep my password manager locked when not in active use, so that's more hassle for me on services that DO use WebAuthn (Github, Google) than if they'd just use WebAuthn for the "high risk action" verification.