Re: Your passwords are safe - phew!
The attackers apparently did 2 things on the targeted accounts with the admin creds they gained access to (apparently via social engineering), which are standard admin tasks:
1) Disabled 2FA if enabled
2) Reset the associated email account to an account under their control
Once they had control of the linked email accounts (and with 2FA disabled) they could send password reset requests and at that point they effectively owned the accounts.
None of that discounts the fact that Twitter is incompetent here - in fact I think they are grossly incompetent.
And this also highlights the folly of making access to a particular email address a critical part of any account's so-called "security".
It's not much better than your bank giving someone else access to your account if they are wearing the same brand of shoes you wear.
Biting the hand that feeds IT
