Does anyone else get the feeling that the attacker is going to be someone the Cloudflare team knows? Firstly they would have had to have known Matthew's phone number. Then, assuming the attacker always had the plan of disrupting the target site, they would have had to have known that the password reset mails were BCC'd to admins.
Getting someones phone number seems pretty insignificant compared to using a previously undisclosed google security flaw.
And it's probably safe to assume that once you control the admin email account for a site, it's game over. You could request resets from other providers
