As someone working in telecom, we often hear customers telling us that their bank account has been wiped clean. How did they get there? Sim swap. A bad actor manages to transfer the phone number into a sim card they control.
Now they have potential access to all accounts where you use 2FA.
But that's just one of the FA's? In fact you could argue any 2FA account is 3FA.
For example, to break into John's account at bank dot com you need to know:
1. John's username.
2. John's password.
3. The code the bank sends to John's SMS.
I guess for a lot of extremely important things the username is public information, so that one is easy to get, but you still need the password besides the SMS.
Where are these bad actors getting the users' passwords from?
It seems you already need to have a leaked password for this SMS attack to mean anything, which I assume isn't something that happens very often. From how often I heard about SMS 2FA being bad, it sounds like it's worse at locking your account than 1FA, and that's what doesn't make sense to me.
Now they have potential access to all accounts where you use 2FA.