[aryan14]

> “In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.“

This is false.

Important to note this did not work if your account had 2FA of any kind

e.g if you had a time based authenticator enabled, after the AI gave you the code to reset the password, it had no notable privileges beyond that

Tldr; if you had 2FA this wouldn’t work on you

[palmotea]

> Important to note this did not work if your account had 2FA of any kind

What about what the op said?

> 2FA Doesn't Help

> In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.

> Existing sessions are revoked and the password changed with no email, text, or push notification. The actual owner can't initiate recovery because the email and phone numbers now map to the attacker. There's no human to escalate to, it's just you arguing with a chat hoping to take control back while praying they don't do it again.

> And if you're part of the A/B tested accounts on which the AI support option is active, tough luck, you can't even turn it off.

[aryan14]

It’s just incorrect

It’s true that existing sessions are revoked; because the password was reset

The reason the target wouldn’t get any notifications at all would be in the case they never setup any additional verification methods to receive these notifications to, since this only worked on accounts w/o 2FA

You can test this on your own account, if you have 2FA enabled and reset your password, you’ll receive notifications to whatever option you have enabled

Also, if you reset the password, it doesn’t remove all 2FA methods on the account (you can test this)

So assuming a threat actor reset the password, they would attempt to login with the correct password but would still need the 2FA code or approval