This keeps happening to cryptocurrency enthusiasts, but is a well-worn attack within the capabilities of a non-technical teenager. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124 … Take your phone number off your Gmail/etc accounts and use hardware or TOTP 2FA.
Google Authenticator is a TOTP, so acceptable for this purpose, as long as you can't end-run it with an SMS/etc.