It is lost forever…
However, I won’t disable two factor authentication on any account by request.
The point of two factor authentication is that (drumroll please) you have two factors of authentication. The email address / password combination is one, and the two factor device / recovery codes are the second one.
If we would just disable the second factor in response to an email, the security benefit of that second factor would be completely nullified. We would be betraying the trust of our security conscious users by bypassing two factor authentication in that way.