Not sure what he meant, but it's usually possible to brute force even decent online auth systems.
Since most of these systems are rate-limited per-account, instead of iterating over passwords for a given account, you can iterate over accounts for a given (common) password. This won't work for a targeted attack, but if you have thousands of valid email addresses, trying them all with e.g. "password" as the password will likely yield a few for which it works.
This becomes hard when you have many users behind one IP (corporate NATs, schools, entire countries, etc), and when attackers can hop proxies fairly easily.
Since most of these systems are rate-limited per-account, instead of iterating over passwords for a given account, you can iterate over accounts for a given (common) password. This won't work for a targeted attack, but if you have thousands of valid email addresses, trying them all with e.g. "password" as the password will likely yield a few for which it works.