What I dislike about the 2 factor thing, is giving out yet one more thing to be stolen. I don't even give my doctor my real phone number.
How do you remember all those complex passwords? Especially if you have like 50 or more websites?
Do you write it down in a list or do you use your Browser to store the passwords or an 3rd party software similar to Roboform?
These days hundreds of companies know everything about you from info sold by your phone company. I'm still getting stuff from my info AT&T sold even though I haven't had them for over 5 years (I know this because they misspelled my name).
I use KeePass for storing passwords (just checked and I have 150 accounts saved over the years, I only use a tiny fraction of them). It uses ChaCha20 - 256 bit encryption with a long password. The DB is stored locally. I use a different password for every site. I have 3 junk emails, which I have accrued over time, each with their own long randomly generate password that I allow the browser to store locally. I have one true email for important stuff.
I use firefox without an account so login/passwords I tell the browser to store are only local. No one uses my computers but me.
For very important stuff like banking/cc accounts, I never store the account name or password, and never allow browser to remember it. I just remember it. I even have a dedicated cheap laptop for only accessing the those accounts, and nothing else.
Generally speaking, how this hacking stuff works is that one site gets hacked. The hacker uses the account name/email address with the hacked password to login into other sites, and keep chaining them along until they can get to some money/items.
So priority #1 is to use a different password everywhere you don't want to get hacked. Consider every place you enter an email/password as hacked, and what the hacker can use that email/password to get to other accounts you use. If that combo is unique, then the hacker can get to nothing else.
When I read your original story, I suspect that another account was hacked with identical login credentials, and then used to login into amazon. From there, the hacker got into facebook, and or perhaps even another site you use with identical facebook login credentials was hacked.
The moral of the story is, for every account login that you care about, give it a unique account name/password combination, and make sure you use good passwords.
right now close to 2/3 of corporate databases have been copied, including the credit reporting companies
its so pathetic how many get broken into