Proper two-factor isn’t “busted” by this. After all, the password is still secret and encrypted, so this only helps a crook who’s already compromised your password.
The thing this breaks is one-factor SMS authentication, which is the new darling of mobile services. A huge number of sites ostensibly have two-factor, but if you hit the “password reset” button they just text you a code to set a new password.
It’s the new email, but even less secure.
Some things (like Signal) are even less secure than that and basically just consider your phone’s identity to be your identity.
