[monopede]

The blog author didn't actually have two factor authentication enabled. The headline is wrong.

[Strom]

You are incorrect, quote from the article:

all CloudFlare.com accounts use two-factor authentication. We are still working with Google to understand how the hacker was able to reset the password without providing a valid two-factor authentication token.

[boundlessdreamz]

He didn't have it for his personal account. But he did have it for cloudfare.com accounts.