I witnessed first-hand yesterday how scary a SIM swap could be. Chris, my co-founder, had been SIM-swapped and the attacker entered his personal Gmail, which contained 2FA codes for his accounts thanks to Google Authenticator cloud sync. Thankfully, nothing has been affected on the IYK side (except for Twitter).