Whoa, wait, what? What occured was a simple confidence hack, not some industrial spy escapade.
Anyway, to answer your initial point, two factor authentication helps with this problem, as you have to still have the security token to authenticate. And if the "Something you have" gets stolen, then you need a manager to work through it to get you set up again, and all resets are heavily monitored and audited.
My point wasn't that this particular incident was some great case of industrial espionage. But it's a rather easy slippery slope to that outcome.
But what if your website is secured behind an Amazon EC2 or Linode CSR? Isn't Instagram and Netflix run at least in part on EC2? I have no clue what the security schemes are for either of those service providers, but if they allow CSRs to change passwords, then it's the same thing. If the CSRs can be paid off, or fooled over a phone call, then it might be cheaper to just do that if they want to inflict potentially millions of dollars worth of damage to a rival.
Having the security of your entire business behind a single CSR or a cell phone is the equivalent of millions of dollars worth of Cisco firewalls being outdone by a $20 wifi-router plugged into the internal network.
Yea, that's all protected by multifactor authentication. Front line CSR's don't need a raise over this. Maybe they have other reasons, sure. But not this.
Anyway, to answer your initial point, two factor authentication helps with this problem, as you have to still have the security token to authenticate. And if the "Something you have" gets stolen, then you need a manager to work through it to get you set up again, and all resets are heavily monitored and audited.