Thank you for replying, PinkElephant and s2sailor.
I'm not sure what could I have done wrong with implementing security measures.
I changed my email, password and set up 2FA. Apart from this, I changed most of my passwords and emails, I'm now using a password manager; even the router was changed.
There was no malware on the laptop (as far as I can tell).
How is it possible, even if someone learned the new password, they were able to access the account without having the codes from 2FA?
Unless all my devices, including the mobile phone, are infested with some malware?
No, I didn't use a VPN. 😧