The hack doesn't have much to do with it. Meta account recovery flow has always allowed bypassing 2FA.