tl;dr; Hacker used social engineering to add a secondary recovery email address to the victims Google account.
2-factor wasn't even enabled on the victims personal account but the hacker didn't need a 2-factor code to reset the password on the victims company account.
From the article:
Google reports that they discovered a "subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts. We've now blocked that attack vector to prevent further abuse."
How is that social engineering? It doesn't seem like human behavior played any role in this at all. The hacker interacted only with automated systems.
This is a security bug that was exploited. It should not be possible to reset a password without the 2-factor auth code, period. If that is possible, then that the 2 factor auth is broken.
When people say 2-factor auth code is broken, it implies there was an issue with the 2-factor authentication code itself.
That would mean things like RSA and other Token based authentication might be at risk. So no 2-factor auth is not broken. Authentication in Google is broken.
Well of course the concept of 2-factor auth is still sound. No inherent flaws in the math or the theory. But this particular implementation is quite broken.
The title of the article doesn't even mention 2-factor: Post Mortem: Today's Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself
tl;dr; Hacker used social engineering to add a secondary recovery email address to the victims Google account.
2-factor wasn't even enabled on the victims personal account but the hacker didn't need a 2-factor code to reset the password on the victims company account.
From the article:
Google reports that they discovered a "subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts. We've now blocked that attack vector to prevent further abuse."