This is incorrect. They stole the password vaults themselves, so if they crack your master password they'll get access to all of your passwords. Doesn't matter if you have 2FA on. This is one of the main reasons why this breach was so bad.

Yea, 2FA is not used in encryption at all. It's only part of authentication to retrieve the encrypted vault. Since the vaults were already stolen, 2FA is meaningless here.