The attacker never got access to the victim's email accounts. He changed dns records to point to a different server. So he would have gotten some new email emails during the time he had the MX records pointed at his server (and he could have used that time to gather additional information), but he couldn't get to any existing emails.