The tl;dr is attackers would:
- Change email address on file
- Revoke 2FA via Twitter admin tools and
- Perform a password reset, which as part of that flow would send the reset code both to the email address on file AND any phone number associated with the account IF 2FA was turned off, which it was turned off by the attackers before they did the reset.
A good dive into what actually happened, narrated within the timeline of the attack.
Really curious to see what happens leading up to November 3rd this year.