-snip-
Last week I had a text from blockchain notifying me that my 2fa security had been removed
Maybe you forgot that you also received a 2fa reset request before this notification? A thief can easily remove 2fa if he has access to your email.
-snip-
I am not sure what I have done wrong here and the only place that my seed phrase was exposed to was my spectrum wallet which at the time I thought I must have been doing wrong,
Last I remember, opening a blockchain wallet requires a registered wallet ID or email. So if you don't think you've ever exposed the seed phrase, then what about email?