It would certainly require the attacker to be a little more proactive, but it would hardly stop the credentials from being useful.
With the passwords, however, he might have gotten access to the VPN or services. 2FA would have certainly helped.
This is of course only interesting if the passwords were reused (even the most security minted folks do that). If a third party vendor does not support 2FA, or when dealing with legacy code, it believe it is good practice to only use randomly generated passwords by password managers.