There is no unbreakable authentication method, but the problem with most methods is that they aren't fool-proof.
There are several ways to attack 2FA:
- Break the algorithm. Google Authenticator uses SHA-HMAC, so that's not the case here.
- The attacker discovered some exploit in Mt.Gox's server. Unless stories about hacked accounts start to pile up, that's also not the case.
- The phone was compromised. If the phone has access to the Mt.Gox password (e.g., it's stored in a password manager), malware or somebody with physical access to the phone could obtain both the password and the secret key.
- The device that was used to generate the secret key was compromised at the moment. Since you have to log into Mt.Gox to generate your secret key, it suffices to have a malware infection on that computer.
Actually I read about an interesting fifth way just the other day.
Because there's something like a 30 second window that the GA code is valid, someone stealing the code with something like a keylogger could re-use the code to do whatever he wants if he's fast enough after getting the code.