[pphysch]

> They are the second factor and require an attacker to have the password too.

For every leaked database of SMS messages there are 1000 leaked databases of account credentials

[omh]

Good point.

But what's the threat model here?

I didn't think of 2FA as being protection against password reuse. People should still avoid reusing passwords and change them if they know of a breach.

Are there really attackers who are picking up breach databases and then sim-swapping to get the 2FA as well?

[samspot]

I think 999 of those databases are the same data set. I lost a password ten years ago from a blog breach and I get almost a monthly notification about it showing up again and again.