Yeah, that's a pretty dumb movie on their part to immediately mitigate the attack and show the whole world it was possible the whole time and it was via an industry accepted best practice.
Why people don't get that TOTP is just "strong unique password" you can enforce from the service provider side is beyond me.
