A decade old longread from Wired that also shines a light on how trivial it was to bypass mechanisms of some online services back in the day.
(I am not sure if Wired has this paywalled because I had the BPC extension installed but it opens properly with it).
Hopefully companies have got better at protecting against social engineering since 2012.