If I understand it correctly, the attacker managed to reset the password by adding a secondary, fraudulent email account as a recovery option, and Google just logged them in after the password was reset, not requiring a token from the 2-factor system.

That's quite the attack.