Juli Clover reporting for MacRumors:
Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.
With access to an iCloud user’s username and password, Find My iPhone on iCloud.com can be used to “lock” a Mac with a passcode even with two-factor authentication turned on, and that’s what’s going on here.
Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person’s only trusted device has gone missing.
And this, my friends, why you should never used the same password accross multiple sites. It’s also a great idea to use a password manager — such as 1Password or Apple’s own iCloud Keychain — to be able to make longer, more secure passwords and not have to remember them all.