From my understanding the 2FA on blockchain.info only prevents an attacker from retrieving the encrypted wallet file (from blockchain.info directly). If he can get it some other way, for example by compromising the hotmail account, its not impossible to brute the wallet.

I was also surprised to learn that. Apparently the default settings for the wallet encryption is rather weak.

It happened to this guy on reddit:

http://www.reddit.com/r/Bitcoin/comments/1ubv3o/my_blockchaininfo_wallet_hacked_strong_unique/