I think this was likely a case of a TA getting in with legitimate creds that they obtained from an outside source. How can that be stopped? Happens every day. As someone said earlier - scrub your HAR files and don't leave sensitive data out there. I don't see that this was much of a compromise of a system in that the TA likely got in with legit creds. Where these creds came from is the bigger question.