It's always great to see effective incidence response and proactive employees. Congrats Coinbase and thank you for sharing. Your experience will make the rest of us more aware.
Two months ago the NIST announced that SMS for out of band authentication was deprecated. It makes sense. Phone numbers have a much bigger attack vector compared to Yubikey and Google Authenticator. This incident is a perfect example.