This is really interesting because of a few things:
* SMS authentication is not the same thing as 2FA, but people think that it is.
* SMS account recovery is convenient for the bad guys.
* The fact you got a welcome text from Metro PCS. If that was sent to your Boost device, someone from TMobile (they operate the networks that both Boost and Metro ride on) needs to take a look as that should not have been able to happen.
* In order to port a number you have to know the account security question's answer. Boost does have this. Was this bypassed?
* SMS authentication is not the same thing as 2FA, but people think that it is.
* SMS account recovery is convenient for the bad guys.
* The fact you got a welcome text from Metro PCS. If that was sent to your Boost device, someone from TMobile (they operate the networks that both Boost and Metro ride on) needs to take a look as that should not have been able to happen.
* In order to port a number you have to know the account security question's answer. Boost does have this. Was this bypassed?