With TFA if the email got changed it would not make a difference. The attacker would need the second factor to rest the password and to log in. So the worst they could do is to lock out the account owner. The support staff being socially engineered is a different story, but yes this is a security hole in SendGrid's system and an easily patched one at that.