If one hacker just wants to get your information and not do anything, then it would be quite difficult to handle all of this. I mean it is clear to me that if they do not "do" anything then how could you actually get some defense against it. Then after they got your mail, your password that you use, there are thousands of software for hackers where they will enter the mail and the password and it will search thousands of websites to see if you have any accounts there as well.
So, they could literally get your information from here, but then hack another account unrelated to you. Hence why I keep saying people to have different passwords for each different website.
Why though? I mean there could be some type of situation where that would be beneficial for the person because they are trying their hand at multiple places, instead of just hacking into one account, but they already have it, so why not include it here as well? Just check other places along with stake together?
You should always have different passwords that's true, but in that case then if they can't find nothing in anywhere else, they would still comeback here because they hacked you here? All in all 2FA is good enough, if you are getting hacked even after 2FA there must be something wrong, how do they have the results of your google auth app?