I mean yes everything is hackable.
Thankfully the hardware key supports FIDO where there is a public / private pair with private locked on the hardware. Not enough services support this though.
So threat is being targeted and having somebody steal the hardware key.
If you can get at a password by hacking a website, I wouldn’t be holding out hope that they couldn’t then steal the TOTP secret.
I mean yes everything is hackable. Thankfully the hardware key supports FIDO where there is a public / private pair with private locked on the hardware. Not enough services support this though.
So threat is being targeted and having somebody steal the hardware key.