MFA means that you're not immediately exploitable. It doesn't mean that you can't be phished — and remember that someone with your LastPass vault can make some pretty convincing targeted phishing messages — if your 2FA is anything other than a FIDO2/WebAuthn key. This has become routine and there are toolkits for attackers to make it easier so it's definitely not an emergency but not something you want to slack on.
It also doesn't doesn't help if there's any way around the MFA process. For example, could the attacker convince a minimum-wage support person / chatbot that you need to reset your MFA? Many companies skimp mercilessly on support costs and that makes this easier than it should be. I've even seen sites where your MFA can be reset using an email challenge!
2FA bypass bugs on websites are common, e.g. this PayPal bypass that stemmed from them allowing their own app through without 2FA, since their app didn't support 2FA at the time:
If everyone knows the password, then it's really just 1FA at that point. If you want it to remain 2FA, then yes, you would need to have a new password.
