From reading HN comments, it is more likely that the attacker changed the account email from the admin panel and took over the account (even accounts with 2FA enabled), which seem more likely to me.
To prevent this kind of mess, Twitter should add more restrictions do disable 2FA on an account (multiple admin authorizations, email notification, add delay before the action is performed) and also change the account state to unverified and add to the feed a "email changed" or "identity changed" status. I also think that changing the email should not be immediate and that the old email should be notified of the change.
To prevent this kind of mess, Twitter should add more restrictions do disable 2FA on an account (multiple admin authorizations, email notification, add delay before the action is performed) and also change the account state to unverified and add to the feed a "email changed" or "identity changed" status. I also think that changing the email should not be immediate and that the old email should be notified of the change.