Many organizations send an SMS text message to your phone with a short number for you to enter after your password. It's a really convenient way to give you 2FA. This has been something that is important for things like online banking.
The problem is that hackers are now sending fake SMS messages:
Oh, foo. There's no authentication for the SS7 signaling, and so there's no authentication for the text message. If someone has your phone number and can send SS7 into the telephone network, they can send a text message seeming to come from your bank. More importantly (and this is what seems to have been used here) they can cause the victim's text to go to any old device they want - this is where they steal the codes.
Financially-motivated hackers are using SS7 attacks to break into bank accounts.
Unfortunately, there's no solution yet. Watch your bank account closely is about all you can do.