[acdha]

MFA means that you're not immediately exploitable. It doesn't mean that you can't be phished — and remember that someone with your LastPass vault can make some pretty convincing targeted phishing messages — if your 2FA is anything other than a FIDO2/WebAuthn key. This has become routine and there are toolkits for attackers to make it easier so it's definitely not an emergency but not something you want to slack on.

It also doesn't doesn't help if there's any way around the MFA process. For example, could the attacker convince a minimum-wage support person / chatbot that you need to reset your MFA? Many companies skimp mercilessly on support costs and that makes this easier than it should be. I've even seen sites where your MFA can be reset using an email challenge!