Without knowing much about the situation... how much was this necessary? The industries Zenefits are working with aren't exactly tech-friendly, and I just always assumed Zenefits was doing some gross things on the backend in order to make things easier for the user.
(This doesn't excuse bad testing or bad code, but it's not like the insurance industry has well-documented public APIs for Zenefits to use)
Reminds me of mint.com. I used to work at Venmo and they tried to integrate with us, but then without even reaching out to us they decided they couldn't because of the 2fa on our web login. We had a documented developer API but they seemed to never even consider using it.
(This doesn't excuse bad testing or bad code, but it's not like the insurance industry has well-documented public APIs for Zenefits to use)