The situation is the following: I had an additional email attached to my GitLab account on a custom domain (.sh), which I forgot about and didn’t renew. Because I published a lot of npm packages and specified my email there, somebody re-registered that domain in a bid to steal my accounts on NPM and GitLab. Gladly, I had 2FA enabled in both places, however, on GitLab, they were able to change the password - but I guess they couldn’t log in because of 2FA. Therefore, I think it shouldn’t be possible to even change the password without entering the code?