For just $200, and a little bit of luck, I was able to successfully crack my own iCloud password and use EPPB to download my entire iCloud backup from my iPhone. For $400, I could have successfully pulled in my iCloud data without a password and with less than 60 seconds of access to a Mac or Windows computer where I was logged into iCloud.
These kinds of hacks don’t concern me all that much. If someone wants a specific person’s data, they are likely to get it with enough effort and time. Especially if they can get access to their computer.
What does concern me is this bit:
As we’ve mentioned before, Apple’s two-factor implementation does not protect your data, it only protects your payment information. Yes, if you have two-factor authentication enabled, the password reset process for an account can be greatly impeded (you need to provide a special one-off key before you can reset a password), but assuming someone can get your password anyway using any number of phishing or remote-access methods, two-factor verification is absolutely not required for accessing an iCloud backup.
So, 2-Factor authentication is intended to protect access to your payment method, not your data.
Yay! Everything is terrible.