How on earth were they able to get in without knowing your favorite car? I'm genuinely curious.
My AA acct was hacked this year and they have 2FA. Huge pain to fix. Of course, they only ask about 2% of the time so the odds of catching criminals is slim. I changed ALL my crummy passwords (yes I reuse them) but didn't bother with UA due to the security questions.