Summary: 2FA token was only some digits, so can be brute forced. But they implemented rate limiting, based on IP. Unfortunately the application accepted the X-Forwarded-For header as if it were the real IP and by randomizing that header, you can do as many requests as you want.