Especially given that they haven't had working 2FA for the longest time, it's not fair to say that OP allowed it or gave someone the keys.
Stretching the analogy, it's more like OP had the room keys lying on a table at a cafe, someone managed to copy the key after sniping a photo and then abused the room while OP was out for the night, and then OP notified the hotel staff once they got back and realized what was going on.
In both cases, OP was unaware of anyone having unauthorized access and it wouldn't have happened (as easily( if the business had better security.
Stretching the analogy, it's more like OP had the room keys lying on a table at a cafe, someone managed to copy the key after sniping a photo and then abused the room while OP was out for the night, and then OP notified the hotel staff once they got back and realized what was going on.
In both cases, OP was unaware of anyone having unauthorized access and it wouldn't have happened (as easily( if the business had better security.