[jewbacca]

A state actor wouldn't even break a sweat getting around 2FA, individually or at scale, if the 2nd factor involves SMS (or the phone system in general) (which, for 99% percent of the 1% of people using it, it currently does):

https://en.wikipedia.org/wiki/Dishfire

It's not even out of the question for malicious private actors who don't have total control over the whole system:

https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-...