Hi all,
I tried to post this as an answer to another question, but it doesn't seem to show up -- so here comes again...

So my mom's account has been hacked and all her contacts received one of those typical emails asking for help and money.
After receiving a few worried phone calls, she immediately tried to reset her password but she can't: the contact phone and alternate email address are incorrect! (changed by the hacker)
She then tried to fill in the password reset questionnaire (by providing an alternate email address and filling in a bunch of user-verification questions), but the response (sent to her alternate email) was that they had to IGNORE this request because she had already activated the two-step verification process!!
The thing is, she never activated that! (again: hacker's deed)

So?... Wait, is that it???
Did I miss something? Is there really nothing we can do???

If that's the case, there is a serious vulnerability there!!!
It means that once a hacker enters an account, he can lock himself in and prevent password reset simply by changing password and contact details and by activating the two-step verification??!!

Please tell me I missed something!
We would like to resolve this before anyone gets scammed!...
What can we do???

Thanks A LOT for your help!
(the sooner the better! ;-)