Well it was partly my fault for letting a seperate domain expire: someone grabbed it up and started an email with my old address. That old email was the contact for the stolen domain-they seem to have used it to have the password reset, locking me out. I still have the phone I used for 2FA and Godaddy is supposedly investigating, but it's been months and I've pretty much given up hope. They email every 3 days to tell me they haven't got a chance to look into it yet...