Longshadow wrote:
If they get your second code, wouldn't they have your phone also???
I had a gmail account with two-step verification that someone successfully bypassed, without having my phone. The sign-in two step was successfully changed, by the hacker, so I could not sign in.
In the two-step I had set up, gmail sent a text to my phone with the code.
After the hack, when I tried to sign-in, gmail's message was that the code was being sent to a gmail email address that is not mine, never was, and I have no idea whose it is.
Gmail, google, was absolutely no help in resolving the issue, telling me the only way I could get access to the account again is to get the code from that other gmail account, then when I had access, I could change the two-step back to what I wanted.
Did I contact that other gmail account to ask for my account to be released back to me? Absolutely not! If someone was there to reply, and was going to demand a "ransom" to release my account, or whatever, I was not going to give them anything more about me than they had already stolen.
After two weeks of pestering google about the situation, I just abandoned them and opened an e-mail in yahoo. The only thing I used that gmail for, anyway, was some online "continuing education" monthly lessons required by the employer I had at the time.
Nothing of value to be stolen there, really, but the sense of being personally violated, then unhelped by google did not sit well at all.