Apparently xitter saw an access from Russia (even if it's blocked by the government) and had no problem in giving full access to change immediately the password, disable 2fa and start scamming followers.
It seems an easy attack to fix IMHO: if access from Russia (or a country from the other part of the world) on a business account that always tweet from the same place, then deny access even with valid stolen session cookies