2FA is probably the best stopper to problems like this, especially credential stuffing, but if it was a more in-depth hack, then maybe two-factor wouldn't help. It seriously just depends on how this occurred.