I classify it as trivial compared to the effort in breaking some real 2FA or otherwise hijacking the start of authority for somebody's online identity/ability to reset their passwords and gain access to an account, like getting possession of a personal domain name to change the authoritative nameservers, set a new MX and receive incoming password-reset emails.
Working in the telecom industry I've seen the pressures that first tier phone service reps are under and how they can be socially engineered, if someone is in possession of enough pieces of a person's identity already, to issue a new SIM or port out a number.
Working in the telecom industry I've seen the pressures that first tier phone service reps are under and how they can be socially engineered, if someone is in possession of enough pieces of a person's identity already, to issue a new SIM or port out a number.