Thinking you're above getting pwned is often step one :)
It's not easy to be 100% vigilant 100% of the time against attacks deliberatly crafted to fall for them. All it takes is a single well crafted attack that strikes when you're tired and you're done.
Numbers game. Plenty of people got the email and deleted it. Only takes one person distracted and thinking "oh yeah my 2FA is pretty old" for them to get pwned.
(I think everyone in this comment chain already knows this, but) PSA: your 2FA does not "get old" and does not need to be rotated (unless the device YOU stored it on was compromised). "Rotate your 2FA periodically" is NOT recommended security advice.
Thinking you're above getting pwned is often step one :)
It's not easy to be 100% vigilant 100% of the time against attacks deliberatly crafted to fall for them. All it takes is a single well crafted attack that strikes when you're tired and you're done.
Numbers game. Plenty of people got the email and deleted it. Only takes one person distracted and thinking "oh yeah my 2FA is pretty old" for them to get pwned.
(I think everyone in this comment chain already knows this, but) PSA: your 2FA does not "get old" and does not need to be rotated (unless the device YOU stored it on was compromised). "Rotate your 2FA periodically" is NOT recommended security advice.
It's more than that. You need to log in, manually, into a new domain you've never used your password before.