I witnessed first-hand yesterday how scary a SIM swap could be. 

Chris, my co-founder, had been SIM-swapped and the attacker entered his personal Gmail, which contained 2FA codes for his accounts thanks to Google Authenticator cloud sync.

Thankfully, nothing has been affected on the IYK side (except for Twitter).

Even if mobile 2FA is used everywhere, as long as your Google account is resettable via SMS, you're screwed if you have cloud sync turned on for Google Authenticator.

It's on by default, but you can turn this off in the top right of the app:

It's pretty insane that carriers let you to order a new SIM or transfer your number to another carrier over the phone. I've called my carrier to make sure that any changes need to be verified through my current SIM, or in person with 3+ pieces of proof.

If anyone has any more helpful security tips please let me know!

Even if mobile 2FA is used everywhere, as long as your Google account is resettable via SMS, you're screwed if you have cloud sync turned on for Google Authenticator.

It's on by default, but you can turn this off in the top right of the app: https://9to5google.com/2023/04/28/google-authenticator-sync-off/