Sorry to hear you got hacked, it must feel awful.

I have one question: how did they access your account with just one 2FA code? I’m no cryptography expert but I thought you would need at the very least two code/ time combinations to be able to decide your API key.

Or did they log into your account there and then?