So what are the details of the risk here? Can texted 2FA use old codes to math out new ones? Is it just that they know which phone number goes to an account they can do another kind of attack on to get new codes?

From what I read these are old texted one time codes. Good one time, generally only for a few minutes. Useless now.

Or is this bad only because there’s a breach somewhere, they don’t know where, and who knows what else they have?