There is a password bash utility on Git that anyone can use to gain access to an iCloud account.
It’s dictionary based so as long as your password isn’t in the current non-static dictionary, you are ok.
Don’t assume you are. Don’t assume that 2-Step Auth will keep your account safe. Go change it now using a suggested 16 character strong password, get keychain enabled and set up.
iDict uses a dictionary to bash the authentication sequence, so it will try all entries loaded until it’s succeeds or fails.
Any knucklehead who can read will be able to assemble this when the config.plist gets published. Don’t wait.