(no title)

But what's the threat model here?

I didn't think of 2FA as being protection against password reuse. People should still avoid reusing passwords and change them if they know of a breach.

Are there really attackers who are picking up breach databases and then sim-swapping to get the 2FA as well?