Hopefully that clarifies for some folks why these big tech/social media companies insist on having your phone number as a “2FA for security” despite all the sim-swap attacks.. simply for this moment, because you might be using a VPN, and address/name aren’t in your google account, but definitely your phone number is there, it’s even worse if you’re using an android too, as they probably will pull out all your app/browsing history..
Credential stuffing is a huge issue for large providers and requiring 2FA is a huge mitigation. Sure, a targeting attack will make the SIM swap, but that is a huge difficulty upgrade from generic credential stuffing.