I've not used Mt.Gox but does it let you perform transactions without authenticating again? Even if you were logged in to your account, I'd expect any kind of financial related website to perform some kind of re-authentication before processing any transaction. Perhaps with the exception of transferring funds to somewhere you've sent funds in the past.
If they have your wallet.dat file (which probably happened in this case), they don't even need to visit Mt. Gox to perform transactions.
The guy had a Trojan loaded up onto his computer where he stored his bitcoins. All this two-factor authentication stuff people are talking about is for `naut. He was attacked by a virus, and that virus stole bitcoins straight off of his computer.
