If you are sure that you where effectively at the correct place, that was NOT a hack but a working safety feature.
The alternate e-mail address or phone number are to be used if you ever forget your password and need to recover or reset it. Those can realy be a life saver.
Most web mail services use some kind of two factor validation. One of those is based on the general location as revealed by your IP adress, browser and OS used as sent by your browser or e-mail client. All of whitch are automaticaly sent every time that you access any web page. Those can't be used to locate you exactly and can't be used to identify you. That's an invisible two factor identification. If you mooved to a new city or country/state, changed your browser or are using a new device, then, it can looks like it may be someone else trying to connect. This will in turn activate an additional autentification process. The same thing will appen if you are on a trip and try to access when on the road when you usualy access from your home.
There is a slight possibility that that account was compromised or was attacked in some way. If that was the case, then, the extra steps where to ensure that it was realy you who was trying to log in. It's also a sign that the attacker was probably NOT able to gain access and that's a good news.
Just in case, you may want to change your password. Make it at LEAST 12 characters long. It can be a phrase like "thE big fat wEading" whitch is a very strong 19 characters passphrase.
Finaly, as it's an account dedicated to on-line purchases, it's often an account that can be thrown away. Just make sure that it don't contain any sencible informations and that you have the importent informations received at that address safely stored elsewhere.
Electro
August 2014