regardless of 2FA or not, I believe AT&T is at fault....simply for the fact that there were numerous logged calls on the account by someone who didn't know the security code..repeatedly...
that should have flagged all kinds of warning and triggered an escalation because its obvious someone was trying to compromise the account.
A single call with no security code, fine..but multiple attempts....seriously...that should have flagged something with AT&T
Biting the hand that feeds IT
