i think the facts of the matter are that a gmail vulnerability is on the very low likelihood kind of event. they wouldn't burn their insanely valuable vulnerability on showing how much of a fratboy kash is. the most likely possibility is that he either clicked on something dumb and gave access through phishing(really bad) or had a really weak password without 2fa(also really bad).