Great reporting by Matthew Panzarino:
[Apple’s two-factor authentication] does not, however, make you enter a verification code if you restore a new device from an iCloud backup. And that’s the design ‘feature’ that hackers are taking advantage of here.
Even if the hackers do not actually download the entire backup — or if there is no backup on the account — they still have access to a user’s Photo Stream at this point, which is also not protected by two-factor authentication.
So, even if all of the people who have had their photos compromised had two-factor enabled, their iCloud backups and Photo Streams would still be accessible.
It seems like a pretty big omission on Apple’s part.
However, even though Apple’s two-factor authentication probably wouldn’t have stopped these photos from leaking, it can still protect your account against many other forms of unintended access, so you should always have it enabled for your Apple ID.