I’ve been hacked and want to get them totally out of my account

What to do in this situation?

I’m not at all tech savvy and there is probably a sub better suited for this but I don’t know it so I’ll post here.

I got hacked. At first, a few days ago there was a login from the USA on my email(im from the UK) I changed my password, added my phone number, thought it was done. Then I was on Spotify and saw a bunch of liked songs I had never listened to. I changed my password clicked “sign out of all devices”, changed it again and signed out of all devices again. I know I have a terrible habit which I didn’t realise was this bad: I log into a lot of websites with my primary email account with the same, pretty insecure password. I’ve changed the passwords for all the sites someone might access, but not any others.

Then, I noticed some files on my phone, with the attachments. .tmb, and crypt14. Apparently its not malware or anything but it still terrified me. Another thing, Gmail has a feature to look at all devices signed into your account in the last 28 days, and there were no unusual ones, but what about that one from the USA, that one didn’t show up, so I’m wondering how accurate that even is? I have no bank accounts since I’m 14, but I hate the idea that somebody Is lurking on my device or using some random website I logged into under my name. Luckily none of my details have been changed and I have added my phone number as an extra layer of security.

So my main questions are

Steps moving forwards?

How to find EVERY SINGLE website your email address is logged into so I can delete the accounts or change the passwords?

How likely you think it is that the hacker only actually wanted to access my Spotify, as that is the only paid websites I use?

Thank you for any help, please answer fast, I’m basically terrified at the prospect of anyone on my devices or doing anything under my name.