You know what is surprising here is why he even received codes in the email when 2FA is enabled in his account. Why, can you choose where you want to receive the codes such as email even if 2FA is turned on? The hacker who knew his login details tried to reset his password. When you opened your email did it not mark as read? This means that he will not be able to access even your email to get the codes. Good thing that even that is already 2FA and the secondary layers of protection work. Didn't you notice anything unusual about your account activity such as trade history? So the hacker has not been successful in having full control or access to your account.
If some of your remaining coins are not supported by a hard wallet just use their official wallet because you are almost certain that you will hold your private keys or mnemonic phrases. Or you can also use some trusted and recognized non-custodial wallets.
They have a 24-hour no withdrawal function after a password is changed, else, the fund would already be gone. I reset my password using the forgot password option. In doing so, they sent me security code to my email and I also needed to use Google Authentication in combination to the security code to reset my password. That means the hacker need to use the same too. The Google Authenticator was installed on my old iPhone which usually is turned off. There is always a risk that the phone stops working because it is semi broken as the old battery expanded and forced the touch screen surface to bulged. But it is usable. I cannot reinstall it on my new phone since I didn't keep the recovery key.
Good point on the "read" email comment. No, these emails were not read when I saw them and received them.