I've heard about this vulnerability a few times this year but this explains it the best.
Bottom line: be extremely protective of who knows your iPhone passcode.
Once someone knows your passcode they can change your iCloud password and turn off find my. If a thief does this you're basically screwed.