If he wasn’t trying to log in then how did he have anywhere to input a 2FA code? If he was trying to log in its possible that his PC was compromised by malware and he got his credentials + 2FA stolen by EvilProxy
Edit: checked out a bit of the video for context. It sure sounds like that it was probably bad 2FA set up. Does Google still support security questions? If he’s had partner for a decade then surely security questions were set up as a second factor. I don’t know if they are still supported though