a non jailbroken iOS device can not be hacked because any App to do so would need to be sold on Apple's App Store and iOS development tools programmers use to create Apps and sell through the store don't have features to allow spyware.
If you are seeing an authentication request on your device that does not coincide with your physical location that is very common. The location has to do with your ISP's server location. I'm in Charlotte NC but I routinely see Bangor ME, Portland OR and Houston TX on various systems at work who use different provider connection but are connected through my account, all of these location are legitimate locations. The 2FA is seeing the servers of my ISP, not my device.