That brings up a page where Twitter wants my phone number, which they can't have.

You're assuming at this point they want your number.

It is not unreasonable to assume that this has been changed to the attackers number.

True, but they are still asking for it even now and they prefix it with the NL country code.

Easy enough to figure out NL, your phone number is in your HN profile.

Then, the hacker just gets a local number, which should be easy enough these days.

True, but I would assume this is because Twitter has geolocated my IP to NL.

Oddly enough I was able to select between [ Text message, Authentication app, Security key ]. I chose Authentication app, and I was not asked for my phone number. Though your account may now be in a "special state" due to these circumstances.

EDIT: Ah I see elsewhere you said you don't use a smart phone (thus, no authentication app.)