They hacked my Facebook, bank, Authy, PayPal, and quite a few other websites.
This is a pretty common method of fraud called ATO -- account take over.
What happens is this:
The attacker gets some initial leverage. He probably either bought your email and password somewhere, or he bought your paypal login and password somewhere (like slilpp) and it was the same as one your emails.
Whatever he got, he used it to leverage all your emails. Then used your emails to leverage your account password resets.
the phone takeover trick is well known in fraud circles.
This method is minimally effective on someone like you, but if you and @sharingeverybyte were way older and less connected to the interwebs, they would have probably cleared all your bank accounts and maxed out all your credit cards by now.
Also, check the forwarding on all of your emails. Even if you changed the password, if hes already been monkeying around in your account settings, he might still be getting your emails.
Also, check your tmobile settings and make sure your texts aren't being forwarded. Thats likely how he got the unlock code to port your number to a new carrier.
Thanks, that's really helpful. I'll check the email forwarding and T-mobile settings. I think they got into my primary email by going through my backup email, which was less secure and probably had a password which, at that time, was the same as another website.
I was planning to write about this in the next part, but as for porting my number to a new carrier, they need to know two things: My account number and the last 4 of my SSN. Apparently, number porting is federally regulated and they must have the same porting requirements for every user. For T-mobile, it's those two items. It is illegal for them to add any security measures to my account to prevent my number from being ported again. At least, that's what they told me.