1/ Twitter account update

- Yesterday I got locked out of my account. Triple-checked the URL was twitter.com (it was from the mobile app, too) and followed the restore access flow. Went to sleep.

- Woke up to account hacked. Lots of inbound messages (ty!). Pinged someone who was ble to get account locked down.

Saw someone who had this happen to them, but with their youtube account. In that instance they found out that it was their session ID tokens that were compromised, as they were logged in over a few devices. 
I think it's a lesser known, but pervasive way that hackers are circumventing  2fa and passwords at large.