They made it sounds like it was easy to steal the said user's credentials or the said user was not carefull enough.
I remember emanuele was just talking something about private repository for security patches.
And if 2FA is good to prevent the stealing or reduce its risk, then it should be implemented.
2FA is in ElkArte 1.1 thanks to
@TE One of the main issues with stolen SMF DB's is that the users password hash can be used as credentials on other SMF installs. Meaning if you used the same password on other SMF sites, the attacker does not need to "crack" the password as the hash can actually be used in some instances.
Past that the old hash is not particularly expensive to compute, so you can run various attacks against a stolen db at a very high rate of speed = tasty to break = less time for users to change their passwords.
More "expensive" cryptographic functions do slow the rate of iteration / discovery, but are just as susceptible to being cracked. Its also easy to target privileged users in the db to narrow the scope / work. A benefit is that it gives a bit more time to allow users to update their passwords (after a breach) as the cracking maybe 100 or 1000 or ..... times slower, but you are still looking at an insane number of iterations per min.
For fun, I ran the list of 500 most common passwords against some of my site DB's and I had a ~4-5% success rate at password capture overnight. I've read articles where that number is much higher, approaching 10%
Once a db is stolen its important to change your password, and since they will be stolen, its important to have 2FA