I recently had my account hacked with 240k Avios transferred out. I had received the 2FA on my mobile twice but they still managed to get into my account to transfer the Avios. BA have not answered my question how that was possible and I’ve given up trying to find out.

Others have suggested that your account will be locked for weeks. My experience was less than a week.

You’re in the opposite situation but there’s no way the Avios will not be clawed back eventually so do as you are and don’t spend them