I'm super curious how this hack worked, but I feel like the story is just about the last step. What did the attacker have such that this last step did it?

My guess is that the attacker had the google password, and also the login for Coinbase was somehow stored in Google, so the attacker getting into google also exposed Coinbase. I just looked at Coinbase, and it does have a "Sign In With Google" feature.

If you want to live the stripped-down TOTP lifestyle, you have to love this 20 line Python solution. Does not depend on weird libs, and the last edit is 4 years ago. Write the seed on a Post-It and you're all set. Not so convenient, but sound sleeping! https://github.com/susam/mintotp