Go to
https://ec.nintendo.com/my/#/ delete any credit cards and paypal links you have and only fund your eShop via wallet codes which you buy at amazon, best buy, gamestop, etc. Do the same thing for PSN, steam, xbox, etc. Turn on 2FA on all your gaming sites as well, you can use Authy, Google authenticator, etc. Use unique passwords with LastPass, keypass, etc.
Security is multi step, OP fell into one of those niche situations where paypal 2FA only applies to paypal logins. Once you establish a link between Nintendo <> paypal it doesn't require an authentication every time, its a "trusted" link. You have to secure each layer, but as a backup just assume your account could get compromised at some point and remove any way for the hacker to access your actual payment methods.
Yes its all stupid and way too open for smart criminals to take advantage of, but thats the world we live in and you've realized a valuable lesson. Apply it everywhere online. Couple more tips
1. NEVER USE A DEBIT CARD ANYWHERE. Debit cards yank money out of your bank account immediately, thats bad. Credit cards are at least one intermediate step. My debit cards are in a safe and rarely leave it.
2. SETUP CREDIT CARD ALERTS. Every charge greater than a penny should generate an email/text, and you should be reviewing them. Also a reason why I don't go nuts with credit cards and limit how many I have.
3. TRY TO AVOID STORING CREDIT CARDS IN SITES, APPS, ETC. Sometimes its unavoidable but the fewer places you have em, the better.
You can use sites like privacy.com to generate heavily restricted virtual credit card numbers for places you aren't sure about. You should always assume any site will get hacked and the entire list of users, names, addresses, and payment methods will get drained by someone.
You can try to be one of those people who ignores these lessons and most of the time its not impossible to "unwind" bad situations but it takes a lot of time and hassle.