Google's two-factor glitch ends in 4chan attack - Security - News - ZDNet Australia:
Prince was using a 20 character, highly randomised password; however, the hackers were able to bypass it by asking Google for an account reset. One option for recovering an account is to have Google send a confirmation code to the phone number associated with the account, and where SMS is not available, it sends the code as a voice call.
Prince believes that the hackers began the recovery process and intercepted the confirmation code by socially engineering US telco AT&T's support staff to gain access to his voicemail, where the code would have ended up.