Well of course, if you don't have 2FA enabled, the only protection is to not allow someone to steal your password.

Or enable 2FA, which seems easier, and protects you from this attack.

I think the metaphor in this case is "The bullet proof vest didn't work? Well, stop standing in front of bullets!"

If they trust so blindly in the security of the password, why even have 2FA?

'All relevant cool sites are expected to have 2FA'

Twitter would be very criticised if they didn't have it.

So 2FA as PR rather than actual security.

You’ll realize how much this is true when you see how many people will lambast you for not implementing 2FA vs the handful of people who will actually use it once you implement it.

It’s like when McDonalds caved and started offering salads. The people saying McDonalds made you fat were happy, yet nobody actually orders salads from McDonalds.