Does your web service currently support SMS 2-factor codes? Can your users recover their password with an SMS code?
You should seriously consider dropping support for both of these things now!
SIM swap attacks have been known to the hacker world for a while now and with higher profile reporting on them recently, it's possible we'll see a spike in these attacks.
It's very easy to pull off, even for a non-technical attacker. At the very least, ensure users can fully opt out of SMS features.