So it turns out that the accounts were all phished. What I don't understand is how so many accounts were able to be accessed, I would have thought that almost all accounts were protected by 2fa and this would have stopped the issue?

I think I must be missing something.