Putting #1 as #1 looks like bitter deflection. You do it elsewhere in the thread too, saying that lack of 2fa on the email account opened the door to this. You should be well aware both that most security issues end up being perfect storm of circumstances, and that attackers can and will target multiple points in the chain. Relying on #1 as the spearhead of your apparent defense here is tantamount to admitting that you are relying on the security of people's email accounts as part of your own security process, which is wild.
You also didn't mention all the terrible things the OP pointed out that someone can do with just your password even when 2fa is enabled.
However, it's relevant to the story because there's a huge difference between sending a password reset to the email already listed on an account vs. resetting it for any random person who starts a chat.
This doesn't excuse their other issues, but it makes the customer support rep's behavior a bit less awful, even if they still violated protocol.
You also didn't mention all the terrible things the OP pointed out that someone can do with just your password even when 2fa is enabled.