The article is poorly written and not clear. It sounds like you're suggesting the author let Chrome save his Coinbase password and Google synced that to the attacker as well?
> Google had cloud-synced my codes.
> That was the master key. Within minutes, he was inside my Coinbase account.
The author clarified that he had enabled Sign in with Google on his Coinbase account. So if the attacker was logged in with his Google account, then they had access to his Coinbase account without needing a password.
Isn't "Sign in with ______" (Google/Facebook/Etc) discouraged, because if for whatever reason Google/Facebook/Etc decides to ban your account, you can no longer log in to those services?
> Google had cloud-synced my codes.
> That was the master key. Within minutes, he was inside my Coinbase account.
The author wrote "codes", not "passwords".