This particular scenario involved injecting server code in 2015, then waiting until 2019 to use the credentials they collected. They would not be able to bypass 2FA here.

It’s true that 2FA wouldn’t protect you from having your account compromised immediately, but that’s not what happened.