I ran into something similar last year, and besides locking things down with 2FA, I switched to using a number tied to my sip trunking provider instead of my mobile. That way, I keep tighter control over who can get into my accounts since it's not a typical mobile carrier number and isn’t easy...