Astonishing that high damage actions were authorized by authentication delegated to Google and furthermore not subject to hard token 2FA.