So the solution was to do the same thing that the hackers did??

> "tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control"

I agree it seems like they could later use the same flow to get access again but maybe Meta has blocked some location spoofing now