[Retr0spectrum]

I'm guessing they just pwned one of their employees via some kind of social engineering. Nothing to see here.

[raesene6]

you say nothing to see here, but compromising high traffic sites with great potential for malware delivery to a large number of users shouldn't be a de-rigeur thing...

The fact that this has become the norm. should be a cause for concern.

[neurotech1]

WordPress VIP that hosts TechCrunch does require 2FA. Not saying it could not have been social engineering, but the usual dumb methods may not work.

[Retr0spectrum]

The most popular method at the moment seems to be SEing phone companies into transferring the account to a phone owned by the attacker, therefore bypassing 2FA.