This is not any secret or bug. Theymos already mentioned this when 2FA has been released for this forum. keep secure your email and bitcoin address which you will use first time on your account. if you forget email or if your account are hacked with email then you will able to recovery your account via Bitcoin address sign.
-It should have been posted with your real account
If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.
-It should have been posted with your real account
You got that right. It doesn’t matter if 2FA could be disabled on site or not. Once your mail address has been compromised, of course there isn’t any use for the 2FA no more. Since, it’s the same mail that would be receiving the codes when generated.
2FA isn’t some mine to the best form of security. Your best chances at being really secure always starts with you. You’ve got to ensure you take proper measures to safe guard that which could leave you vulnerable to hackers and scammers. In the context, your mail address is one of those.