It might be confusing but that was account recovery attack.
For account recovery there is no "password" as thieves just made their own password while having victim phone number.
So phone number as a password recovery option is not secure without any additional checks. Not 2FA because with this attack there was no second factor.
It might be confusing but that was account recovery attack.
For account recovery there is no "password" as thieves just made their own password while having victim phone number.
So phone number as a password recovery option is not secure without any additional checks. Not 2FA because with this attack there was no second factor.