After the T-Mobile hack, I changed my password and my security code. However, I also use 2FA using one time passwords. How safe is that from a server side hack?
Servers are not supposed to save clear text passwords. Instead, they store a hash of the password. Even the server doesn’t know your password. Give them the password, and they put it through a sophisticated algorithm and see if they get the same hash.
However the seeds for One Time Passwords can’t be hashed. They must be known between the user and the server, so they both can use the same time based algorithm. That means they can’t be easily encrypted.
Does that mean if someone breaks into the server, they can steal the password and the OTP seed?
If you are assuming password hashes were stolen (I haven’t been paying much attention myself, as I am not a T-Mobile customer), the safest case I would say is to assume the key for the TOTP was stolen and generate a new one. T-Mobile should have a method for this (generally it’s to turn off 2FA and then turn it back on if there is no discrete method to generate a new TOTP key.)
They can be encrypted, as long as the server also has the key to decrypt it.
You may be thinking of “hashed”. Hashing is a non-reversible algorithm often used for storing passwords in a way that makes it hard to extract the original password. But as you point out, hashing a TOTP seed would make the seed useless.
Of course, if the hackers stole the server’s encryption key (used to decode the TOTP seeds), then the encrypted seeds would be compromised.
I agree with @ddmiller. It’s best to assume that the see has been compromised. Generate a new key just to be safe.