Fun fact: I once got a security bounty because they sent the 2FA emails through click (some email monitoring SAAS thing) with "view in web" enabled, and it was set up so that the emails under a given template used an auto incrementing ID, so you just had to request a 2FA email and then access it through click's web UI.