That doesn’t bode well, it means it was captured via phishing, sniffed via MitM, stolen via keylogger/malware, stolen from a place that has it stored, observed if you typed it in, or perhaps brute-forced. Regardless, that’s what 2FA is for, so congrats on excellent OpSec!