This is really important news. It was mostly social engineering hacking, but it seems to have been very clever. It's important to notice that it wasn't a flaw in two factor authentication itself, but on the recovery options.
I really hate the recovery options. I don't know what they are there. If I forgot my password, my recovery e-mail, I don't want to answer questions to be sure it was me. Who knows how this exactly worked, but it sure seems to be a problem with that logic.
So it seems that there was a bug in the two factor authentication affecting "some accounts" during the recovery procedure (see the update to the article). Slightly worrying that the two factor authentication can be bypassed when resetting a password.
all CloudFlare.com accounts use two-factor authentication. We are still working with Google to understand how the hacker was able to reset the password without providing a valid two-factor authentication token.
I really hate the recovery options. I don't know what they are there. If I forgot my password, my recovery e-mail, I don't want to answer questions to be sure it was me. Who knows how this exactly worked, but it sure seems to be a problem with that logic.