The victim (ctvo) claims in another comment down the thread that he had a unique Gmail password not re-used on any other service. So I wrote my comment assuming this is true. But, indeed, if his Gmail password was weak and guessable, then the T-Mobile hack would have allowed the hackers to validate MFA and log in.
