The attacker had the passwords and 2fa codes from the Google account so Coinbase couldn't really distinguish them from the right person (tho presumably for large transfers they may require some extra checks, dunno)

▲

RandomBacon 5 days ago | parent [-]

The article is poorly written and not clear. It sounds like you're suggesting the author let Chrome save his Coinbase password and Google synced that to the attacker as well?

> Google had cloud-synced my codes.

> That was the master key. Within minutes, he was inside my Coinbase account.

The author wrote "codes", not "passwords".

▲

sgerenser 4 days ago | parent [-]

The author clarified that he had enabled Sign in with Google on his Coinbase account. So if the attacker was logged in with his Google account, then they had access to his Coinbase account without needing a password.

	▲	RandomBacon 4 days ago \| parent [-]
		Isn't "Sign in with ______" (Google/Facebook/Etc) discouraged, because if for whatever reason Google/Facebook/Etc decides to ban your account, you can no longer log in to those services?