Merely being able to view the 2FA status means someone could fairly easily given CentralAuth, get a large list of accounts, find whether they have 2FA on and use the ones without to brute force as they would know that there's less of a chance hitting accounts with 2FA.

I'd want to know if information on how I was securing or not securing my account was publicly accessible (and it was to all sysops)

In T5768#112456, @Paladox wrote:

I just wanted to say, this was not a UBN task. Please use the "priority" field responsibly. Not every security issue equals UBN. Each each has severity. Like exposing PII equals UBN. But merely being able to view your 2fa status does not.

I'm happy to be told i'm wrong though (@John / @Southparkfan)

Yes the issue here is whether we distinguish PII and PI and whether simply revealing PI is cause for notifying users as it is with PII.

“ Not every security issue equals UBN.” is plainly wrong. Every security incident needs to be resolved as soon as possible at the highest urgency

To be completely honest I'm not even sure if this is/was a security issue at all. Viewing whether or not someone has 2FA enabled does not actually compromise or expose anything. Sure, it could potentially make it easier for someone to break into an unsecured account, but they would still have to create an effective brute force technique and correctly guess the password and/or recovery email to change it. While I don't want to say too much about the inner workings of this stuff on a public ticket, I can say that the odds of two or more random unsecured accounts having the exact same passwords and therefore able to be compromised at the same time by a single brute force, are exceptionally low.