Your mfa is now mfa-1
deleted by creator
Do you mean individual 10 second 6 digit codes?
no, the underlying secret
deleted by creator
Change your shit asap. Anyone who has access to it can theoretically auth as you on any site or product that uses that 2fa setup. They would still need to have your underlying credentials that would initiate the 2fa protocol exchange anyway, but if they have access to your underlying 2fa secret, its not too far fetched to believe they may have other credentials potentially, depending on how you’ve secured the access and where you store your credentials. To be safe and not paranoid, it’s best to just do a root trust rotation and cycle the underlying auth creds
Worst thing? Someone with access to your password can now break into the associated account, and use that access to snoop or potentially permanently lock you out. E2EE data could be lost forever if they change the password and 2FA.
More likely? Unless you reuse passwords, or the associated site has been recently compromised, pretty low odds of compromise. If you suspect your 2FA has leaked, just get a new secret, easy peasy. Most reputable sites should alert you to a login on a new device, potentially giving you time to react or alerting you of snooping.
If your secret leaks without context on what site it’s associated with, then unless your name is Taylor Swift, odds of someone associating it to a site, let alone the matching password, are astronomical.
Then your password (your other, “first” factor) is the only thing preventing an intruder impersonates you.
You’ll still have to go through the hassle the now useless second factor puts you through, so you might as well update your second factor even if you trust your first to be very secure.
Change it and be done