The coast is clear now, but for a while there, Google's two-step verification system wasn't keeping you as safe as you thought. In fact, it was providing an avenue for folks to get in. App-specific passwords were propping your door open.
The exploit was found—and reported—by Duo Security, which is publishing its data now that Google has fixed things up. If you've enabled two-step (which you should), you know that using applications like Twitter or Facebook or Instagram often involves an app-specific password. Apps that don't just pass you to a Google login page and have you enter a phone-code will tell you to go get an app-specific password manually from your account page, and put that in.