2FA needs a serious reboot

So, my friend recently got hacked and not only did it take support almost a M O N T H to get back to her, the google verification app nor her old backup codes work anymore. To put it gently I am very much upset at Discord for the lack of overall security offered to someone to protect their account.

It seems like the platform was designed to be easy access for hackers, one small link and an oblivious user could compromise YEARS of memories, all because this company doesn't understand the importance of some of these accounts.

Why is it that you can remove 2FA with a simple password input? Why is it that you can generate a new set of access codes with a simple password input? The removal of 2FA and the refresh of these codes should require the current 2FA code on the original users device to insure that account stays in some way with the person that it was taken from.