Seems plausible. Suffered a SIM-hijack attack via T-Mobile a few years ago. Set a giant extra arbitrary password for account changes after that - but they essentially don't ask for it. Fairly regularly they show notices of breaches via email or when logging in.
Don't use a mere mobile number for the backup access to anything inportant!
Don't use a mere mobile number for the backup access to anything inportant!