How to hack an email with two-factor authentication. Easy, present the target with two fake pages, one for credentials and the other for the (2FA) one time code. - Don't believe me? - Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers called "Charming Kitten" using this technique

As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password


Charming Kitten is involved in a targeted security breach against top US officials, and obtained emails of over a dozen US Treasury officials, those involved in the nuclear deal assigned between Tehran and Washington, DC think tank employees, Arab atomic scientists, and prominent figures from Iranian civil society


https://www.hackread.com/hackers-bypassed-gmail-yahoos-2fa-to-target-us-officials/