[metafour]

Would most of the attack been rendered impossible if Matthew answered his phone at 11:39 instead of letting it go to voicemail?

[cobbal]

I'm not sure of the details here, but it wouldn't be too hard to make sure the reset call arrived in the middle of another call.

[eastdakota]

That makes a lot of sense and could have been what happened. It would also make it more difficult for Google to do something like ignore responses that come after 4+ rings.

[greyboy]

I'm more curious why a "secure" PIN is simply left, automated, as a message. A more "secure" option, I would think, would be to require some sort of input from the person who answered (say, "Press 1 for the PIN" where that number is randomized, or something).