If this story is true, this would appear to be a simple vector for hijacking email intended for other gmail users. Hard to understate the severity if true.
Have you tested whether you can receive email directed to firstlast@gmail.com? Perhaps theirs is really firstlastt@gmail.com and all their contacts "correct" it.
This feels like a bug that he snuck through early or during a temporary window, before Google started defaulting to . as an ignored alias. Maybe not ¯\_(ツ)_/¯
Have you tested whether you can receive email directed to firstlast@gmail.com? Perhaps theirs is really firstlastt@gmail.com and all their contacts "correct" it.