So hipoteticly the guy had 2fa on but no pin configured in the app; his user pass was fished on a compromised site and the thief used the app to steal the money; that makes sense?