The attackers also needed to know the user's phone number and have access to their email account. That is a sufficiently high bar that I can still be sympathetic to Coinbase here.
Not sure why you discount username and phone either. Each of these is an additional layer of security simply by being more information an attacker needs to collect and associate. Coinbase doesn't publish a list of usernames. And how would someone associate phone numbers back to them?
You can easily check databases on and off the darknet to find people's phone numbers and most people don't have multiple phone numbers and rarely change their number because of the associated hassle with moving accounts. The same goes for their email and even passwords if they reused them.
password is 1FA.
SMS is 2FA (not a great one, but still). Coinbase failed at 2FA. 2FA is critically important; that's why it exists.