[v64]

Because you can withdraw your coins from Coinbase, that means Coinbase has a copy of the private key associated with the BTC address that your BTC resides in. Two factor auth is not going to prevent a rogue attacker or employee from taking these keys.

By immediately transferring the BTC to a paper wallet address generated on a secure, offline computer, it is simply impossible to withdraw the BTC without possession of the information on that physical piece of paper. This is far more secure than any digital or two factor auth.

Edit: I notice that Coinbase does store the vast majority of their BTC in paper wallets[1]. The problem is, Coinbase still has a copy of the private keys associated with your BTC address. While this may hinder the efforts of outside attackers, there still exists a vulnerability with those employees who have access to the systems that move BTC from cold to warm storage. That's why your BTC should always reside in an address you generated yourself and solely possess the private key to.

[1] http://blog.coinbase.com/post/33197656699/coinbase-now-stori...

[Aqueous]

I mean, I've given them the ability to withdraw money from my bank account so merely trading on CoinBase requires me to believe they won't do that or anything like that. The fact of the matter is that I don't trust CoinBase, but I know that our interests are somewhat aligned. If they damage their reputation by stealing my BitCoins or my cash they lose money because people don't trust them any more. They are backed by people I consider to be reputable and if CoinBase does something shady all of their reputations will suffer.

[DanielRuskin]

While this is a legitimate concern, it is not relevant to what happened here - the OP didn't enable 2FA and used the same password on his Twitter account (which was also compromised).