Sounds like it was just social engineered out of HostMonster. Almost all of the EIG hosts (HostMonster, BlueHost, iPage, HostGator, etc) use awful outsourced support that are only rated on amount of tickets closed/solved. They are very lackadaisical with customer information and verify accounts based on the last four digits of the card used. I'm guessing the "hacker" in this case guessed the last four of the card via livechat or a support ticket and then got in and moved the domain over to GoDaddy.
"I remembered the notification from YouTube that someone had accessed my account from a different location – a notification I had ignored, assuming that I had logged in on a mobile device or that my husband had accidentally logged into my account instead of his own."
All of her accounts were compromised - seems more likely to be malware than social engineering.
Also the hosts you mentioned use in-house support.
Unless you're in Burlington you probably aren't familiar with the brands you don't work at. Most of them have support provided through GlowTouch. Even HostGator USA has GlowTouch Indians doing transfers and helping in ticket queues.
My guess is that the author's home computer was compromised or their gmail password was guessed. They mentioned that they ignored a warning that someone logged into their account remotely.
At home I have a Chromebox machine that I only use for online banking and no other purpose.
My other machines are used for the usual consumer Web activities, including Web site administration. I'm wondering if perhaps I should modify my approach to do the admin only from the Chromebox... which brings up the classic tradeoff of security vs convenience.