See the Guardian link in the footnote. It appears a breach of another site, Gawker.com, exposed unencrypted passwords. Those are now being recycled in attacks against the marks other accounts.

The two-factor solution would pretty much kill GMail for us. We have it primarily because we can access when travelling in Europe. But unless you have tri-band cellphone, they won't work across the pond.

(And also wondering how they implemented storage of the code. If that is a local cookie that gets blown away at the end of the browser session, that is going to be a lot of fun...)