That takes your multi factor and gives it a single point of weakness again, undermining the whole point. If your password safe is compromised, the attacker now has both the password and a code.
I think the problem here was using Google as the account email, the password vault, and the TOTP sync. If they at least had separate services, such as using Microsoft Authenticator for TOTP instead of Google, it would have been harder to compromise everything.