[poglet]

"may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings"

What does MFA settings mean in this context? Does enabling MFA protect users from these type of attacks? Is MFA used as a part of the encryption key used to protect data?

[richardjennings]

TOTP is a popular MFA mechanism that is composed from a shared secret and settings (often communicated by qr code). Utilities like LastPass can generate TOTP codes for you if you share the config. The statement reads like any MFA config shared is potentially compromised and should be replaced.