Juli Clover, MacRumors:

Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.

With access to an iCloud user’s username and password, Find My iPhone on iCloud.com can be used to “lock” a Mac with a passcode even with two-factor authentication turned on, and that’s what’s going on here.

This does appear to be a genuine hole in Apple’s security scheme, though iCloud itself was not hacked.

Seems like this is fixable. From the comments:

When you go to remote lock a device you enter a lock passcode and the device’s password or passcode. When that is sent to the Mac, iPhone, whatever, if the device password doesn’t match, it won’t lock the device. That way, even if a hacker guesses your Apple ID and password using hacked credentials, they still can’t lock the device without the Mac’s login.

Not sure if this is doable, since your Mac’s password is not stored in the cloud, but maybe the entered password could be encrypted, sent to the Mac, and the Mac could decrypt and compare.