What about what the op said?
> 2FA Doesn't Help
> In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.
> Existing sessions are revoked and the password changed with no email, text, or push notification. The actual owner can't initiate recovery because the email and phone numbers now map to the attacker. There's no human to escalate to, it's just you arguing with a chat hoping to take control back while praying they don't do it again.
> And if you're part of the A/B tested accounts on which the AI support option is active, tough luck, you can't even turn it off.
It’s true that existing sessions are revoked; because the password was reset
The reason the target wouldn’t get any notifications at all would be in the case they never setup any additional verification methods to receive these notifications to, since this only worked on accounts w/o 2FA
You can test this on your own account, if you have 2FA enabled and reset your password, you’ll receive notifications to whatever option you have enabled
Also, if you reset the password, it doesn’t remove all 2FA methods on the account (you can test this)
So assuming a threat actor reset the password, they would attempt to login with the correct password but would still need the 2FA code or approval