That's a potentially terrifying breach because your second factor has effectively been permanently backdoored by the app developer without your knowledge. I'm hoping this has been reported and a check for this sort of thing is added to the review process for all MFA apps.

On a related note: security experts of HN which (if any) TOTP authenticator apps would you use/recommend? I currently use duo authenticator except for one thing which bafflingly will only work with google authenticator and not duo (don't ask me why) or things like steam or lastpass which have their own homebaked authentication app. Any reason to use something different?

I used Authy initially. I then exported all the TOTP tokens out of Authy and imported them into unix pass and Aegis. So on my laptop I just use pass, and on mobile it's Aegis.

I use pass myself. I had no idea you could use it for otp. Are you using something like this? https://github.com/tadfisher/pass-otp