With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.
Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person's only trusted device has gone missing.
Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device.
The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.
Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
To prevent an issue like this, Apple users should change their Apple ID passwords, enable two-factor authentication, and never use the same password twice. Products like 1Password, LastPass, and even Apple's own iCloud Keychain are ideal ways to generate and store new passwords for each and every website.
So a hacker gained access to my iCloud account (despite two-factor authorization) while I was asleep this morning.— Jason Caffoe (@jcaffoe) September 20, 2017
Users who have had their Macs locked will need to erase their machines or restore from a backup to remove the lock if no passcode is available. Apple Support can offer specific assistance on the steps that need to be followed to remove the lock.
Discuss this article in our forums