I have been 'hacked' before in a game I used to play that ironically had two-factor authentication (A 'Pin-code' system). That's the only thing of mine that has ever been exploited and it turns out they got a SQL dump with non-salted passwords, likely got the un-hashed pass in minutes and brute-forced my pin as the game seems to have zero brute-force recognition. I later got my character back and all of it's stuff as there was an obvious roll-back.
A pin code system that send's to an e-mail address is insufficient, when someone get's into your one single e-mail account anything linked to that account is as risk. Using a true 2 factor authentication method includes some type of external hardware, be it your phone, code card, usb keyfob, or keychain token.