Interesting. I got an email last week that purported to be from Google about requesting an MFA code to login. It looked legit but I wonder if it was using this same exploit.