The recent celebrity attacks were sophisticated. But even if you had 2 step authentication that would not have been enough. 

Two-factor is billed by Apple and many security experts as a way to protect yourself from simple password theft. It requires that you have a code sent to your physical device to confirm that yes, it is you logging in to your Apple account.

However, Apple’s two-factor solution is actually incomplete. It does not cover many other iCloud services, including backups.

In fact, the only three things two-factor secures in iCloud are :-

1) Signing in to My Apple ID to manage their Apple account.
2)Making iTunes, App Store, or iBookstore purchases from a new device.
3) Receiving Apple ID-related support from Apple.

It does not, however, make you enter a verification code if you restore a new device from an iCloud backup. And that’s what the hackers are using. Download a backup and then explore away!