Once unauthorised people have your SIM in another phone they can request an SMS code for resetting the password to all your accounts, including iCloud, Facebook, Instagram, Twitter and so on. "Even if you have two-factor authentication enabled, unauthorised users can use this method to get the code and access your accounts."
Don't use SMS for two-factor authentication (2FA)
If you do this you will avoid the risk of a sim swop attack
A SIM swap scam (also known as port-out scam, SIM splitting, and simjacking, swim swapping) is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.