The author clarified that he had enabled Sign in with Google on his Coinbase account. So if the attacker was logged in with his Google account, then they had access to his Coinbase account without needing a password.

Isn't "Sign in with ______" (Google/Facebook/Etc) discouraged, because if for whatever reason Google/Facebook/Etc decides to ban your account, you can no longer log in to those services?