I was sitting here reading something when my phone beeped with a SMS notification. From Apple, with an Apple ID Verification Code (two factor authentication is enabled in my account). I only use this for iTunes - and haven't used iTunes in a couple of years now, with Amazon Fire TV, Netflix and Hulu.
No, this is not a phishing SMS. There's no link or request to reply. It's just the standard SMS Apple sends for 2FA.
So I logged into my account and get a new verification code. Yep, from same SMS number and same wording. I change my password and all is good.
Now, this begs the question: to get the SMS sent to your phone the correct email and password must have been entered. How did someone else have that? My iTunes password is unique and long. Never used it anywhere else and a search doesn't show it anywhere.
Have you seen any strange activity in your account lately?