I've read a number of stories on the topic - the basic technique is to identify the domain registrar or DNS provider and attempt to manually reset the password by spear-phishing with the customer service rep. Once you're in, MX can be redirected to a host of the attacker's choice, and then you can initiate password resets on any number of third-party services.
It's a vulnerability that simply doesn't exist with gmail/hotmail/outlook.com addresses. Do you know whether your domain registrar and DNS providers' CSRs mandate 2FA or allow multiple attempts at guessing security questions?
One example of a DNS-based MX hijack is http://arstechnica.com/security/2015/02/attackers-take-contr... although i'm at a loss to come up with some more specific (and exciting!) examples that i can clearly remember.
It's a vulnerability that simply doesn't exist with gmail/hotmail/outlook.com addresses. Do you know whether your domain registrar and DNS providers' CSRs mandate 2FA or allow multiple attempts at guessing security questions?
EDIT: https://medium.com/@N/how-i-lost-my-50-000-twitter-username-... used the same attack.