1a) Don’t store the user’s password, only a (salted) hash of it. When a user logs in, hash the password they provide and compare it against your archived hash. If you don’t know the user’s real password, you can’t compromise its security.

1b) It’s difficult to securely identify a user over the phone, and the level of effort you’ll make will depend on how “dangerous” unauthorized access to the account would be. My bank accounts require me to call from my home, work, or cell numbers (which I have listed with them in advance). You can ask the caller to verify randomly-selected pieces of account information that you have on file (like account number, billing zipcode, middle initial, date of birth, the seventh digit in the credit card number, etc). Some phone-based systems have a per-user PIN number that is different from the normal password/PIN. You can send the caller a one-time passcode to their mobile phone via text message, and require them to enter it into the system within some time limit. One of the more secure systems I’ve seen uses Verisign’s VIP Mobile app to generate one-time passcodes. (of course if someone steals your mobile phone, it doesn’t help much)

2) I doubt that information is publicly available. If there was a list of companies that insecurely store user account info, it would double as a “please hack me” list and those companies would get slammed by intrusion attempts.