If you HAVE anyone's password then of course you've got access.
Let's look at what your linked article claims. . .
In fact, I was able to use an iBrute-like tool to crack my own password (which, to be clear, was chosen to be extremely easy to crack. Like, it was Passw0rd1. Apple wouldn't let me use Passw0rd, but Passw0rd1 was just fine.).
That Passw0rd1 is on the list of the twenty most commonly used passwords. IBrute uses the 500 most commonly used passwords to attempt its breakins. She knew this, so she used one. Whoop-do-doo. Apple warns users who attempt to use passwords such as hers that it is too weak. They have a tool right when you input your proposed password testing its strength. Anyone can SEE immediately how robust their password is.
Had either she or her sister used two-factor authentication, none of this could have worked. I use it. Her sister would have gotten a text on a trusted device with a PIN number that had to be input before going further. NO SECURITY QUESTIONS TO GUESS. A text to her sister telling her someone was trying to access her account, and if it was her, she could continue by entering the PIN. Three chances to get it right, or it's locked. That's it.
It is also noted that the EPPB software she then used also works for multiple platforms, not just Apple.
The application, which costs between $79.99 and $400 depending on the version, can also be used to retrieve backups from Windows Live (now OneDrive) and to unlock access to BlackBerry, BlackBerry 10 and iOS backups.
And again requires the user name and an easily cracked password password. She used her sister's account to break into by changing her password. . . as if she doesn't know the secret details that might be in the security question of her sister, right, sure. That was easy. Try that with a complete stranger. Not so easy, is it?
Then she claims she could sneaker net a USB stick and steal the "iCloud access Token" from all of her colleagues computers and easily break into their personal iCloud accounts with the $400 EPPB Pro version. But, there is a caveat she mentions only in passing as though it's just a minor trivial issue. The target of her nefarious theft—I'm certain she would want to steal this data surreptitiously—must be logged onto his or her iCloud account on their computer with their user name and password for her to steal the Token! Most people are not logged in except rarely. I have logged into my iCloud account on my Mac exactly twice in two years. . . both times to check for a lost email. Other than that, nope. Everything else, I handle on my iPad or iPhone. She's not going to get my Token off my encrypted Macs. . . and not off most anyone else's for the same reason. The odds they will be logged onto iCloud are slim and none. If she's going to rely on a remote malware invasion to get it from a Mac which would lie and wait for some future iCloud connection . . . that's even harder. So BZZZZT! Not happening as easily as she implies.
Guess what, I just tried logging on from my Mac. . . it required Two-factor authentication. . . and I have the token. So that's out too. Oh, well. EPPB is out of options.
So if two-part authentication is the cure, why is it not the default? How did the most brilliant company in the world fail to include, at the most basic level, the one thing that would actually make their system, ya know, secure? And then blame the user of that system? What a bunch of iHoles.