What's more plausible -- Google 2-factor was disabled, or a user re-used the same login/password on a site without 2-factor? Passwords will be with us for a long time to come. Employers should buy employees 1Password or equivalent for their own safety and require long unique random strings for every 3rd party account. Employers can control that somewhat but can't force vendors to implement 2-factor.

[TD;DR]

It wasn't a problem inside reuters, but their 3rd party provider called (Taboola), which injects ads on reuters. So once Taboola hacked, the ads system started injecting a script to redirect that page to another one.

Finally: Be careful with those 3rd parties ads tools etc.