When someone tries to hack your Google account, for example, then can phish your login and password out of you by having you click on a malicious link. Once the get access to your account, then can change recovery information (additional email addresses and phones) to theirs.

And, by having that info, the hacker can reset the password.

However, in the resent days, it became much harder to change the recovery info without using original phone/email for 2FA (2 factor authentication) steps during password reset.

But if the hacker doesn’t need prolonged access to the account, they can just take info they need and not bother to get access anymore.