The news accounts of John Podesta's email hack indicate that his password was stolen by a site that impersonated a Google login screen. The link was sent to him in a spearfishing email.
The account didn't say whether or not he had two factor authentication turned on, but he probably did not. If he had turned it on, the hackers would not have gotten the text message with the login code when they used the password the first time. He would have, and would have realized that his account had been attacked and could have taken action before anything was compromised.
Both Google and Facebook have had two factor cell phone based authentication for a few years, and many other services are starting to use it.
Joomla has had two-factor authentication since 3.2; WordPress does not appear to support it as a core function, but does have plugins to support it.