The email being compromised opened the door to his email being compromised. The door to his Namecheap account being compromised was apparently already wide open.

No, OP didn't have 2FA enabled on their namecheap account. It was namecheap's fault for improper handling of the social engineering attack but OP could have protected themselves by having 2FA

The article pretty clearly states 2FA was enabled for the Namecheap account in question. In fact, that is sort of the whole point of the article.

Oh this comment by CIO led me to think 2FA wasn't...

https://news.ycombinator.com/item?id=11480221

You should not be able to overcome 2FA with social engineering wtf!