So the hypothesis is that the attacker reset 2fa and then reset your password? (I wasn't sure you were saying they let you, or possibly that they let the attacker reset it)
yup - they let the attacker do it. all you need is the email address and/or phone number. if this information is already public - well, you're hosed @hboon
you should see the email i got when it was time to ask for a reset - maybe you just need to be convincing. aka social engineering
So the hypothesis is that the attacker reset 2fa and then reset your password? (I wasn't sure you were saying they let you, or possibly that they let the attacker reset it)
yup - they let the attacker do it. all you need is the email address and/or phone number. if this information is already public - well, you're hosed @hboon
you should see the email i got when it was time to ask for a reset - maybe you just need to be convincing. aka social engineering
Wow