First-As You Mention before wala kang ni log in na anu mang site which is good You Know The Way Of Phishing An Attack Which Trick you To Log In To A Fake Legitimate Log In Section
Second-through Bruteforce You Can Be häçked...Bruteforcing Is the Way Of Attack That Guess Every possible Password you Could Have Until It Gets The Right Password
So it Is Imposibble To häçk An Gmail Account Without This Two Ways So I guess Your Account Is bruteforced And You dont have Strong password To Protect your account...Also You Saying That 2 factor auth is activated?Then How The Attacker Could Bypass The security?I bet the attacker use an device your account was attached before so that the 2 factor auth says "Hey i know this device this is Used before by the owner so I Will let it without 2 factor auth!!" So I Think Thats The way how the attacker bypass the 2 factor authentication...Theres also one way that the attacker manage to get in after the bruteforce...You forgot that the 2 factor auth is deactivated )
See Mine Was in Default So Maybe you Just Forgot That The two factor auth is not activated
Or one Of your friends Or One Of the Devices your account attached before has been used by the attack in order to bypass the 2FA.