Ask HN: Have you had any old Gmail addresses hijacked?

Recently, I tried to login to one of my older gmail accounts and discovered that the password had been changed very recently. Since these were old accounts I had not used in years, they did not have 2FA enabled. However, they did have very strong randomly generated 20+ char passwords with uppercase/lowercase/numbers/symbols. These passwords were stored on a password bank that was not compromised, and I don't even know these passwords by memory. I'm not the type to fall for phishing scams and I try to keep my systems secure, but I had not even used those passwords in over a year, so there is no possibility that I somehow exposed them sometime in the past month.

The recovery email for these accounts was NOT hijacked. He simply changed the passwords and recovery email and then he subsequently enabled 2FA himself.

However, these old emails were set to automatically forward to one of my new addresses and the hijacker forgot to disable that feature. What I've found is he started to use one of the emails for his own "business". Apparently he makes a living procuring YouTube, Gmail and Twitter handles for people. Judging from these emails, he is quite successful at doing so for YouTube / Gmail handles where 2FA is not enabled.

I realize that enabling 2FA is a must these days, but I find it troubling that this character seems to be able to hijack these accounts so easily. Especially when those accounts are inactive and without the use of phishing or a keylogger. Anyone have any clue how this is possible?

Also a PSA: If you haven't enabled 2FA on any old accounts you might care about, go do that now.