More than likely they used a password from another recently breached site. Yes, you should have used 2 factor authentication but what you should do is check out haveibeenpwned.com to see if your information has been found in other account dumps. Also don't use the same password for other sites. Use a password manager. Its definitely handy.