TL;DR; Version Carmelo was lying. Customer coins and accounts were compromised. Carmelo was unable to pay users back.
On May 29 I woke up to a couple of emails from coinbase that I wasn't exactly expecting:
"On May 29, 2015 you purchased 4.0000 BTC for $958.01 USD from *Bankname* - Bank *****last4.
Those bitcoins are now available in your My Wallet account!"
Followed Shortly By:
"You just sent 4.0000 BTC (worth $946.00 USD) to 1JYprFYWXWsJ2c3YFAztoX5WHoPwJQh6s3.
Attached message:
Funded by Transfer with ID: 556883126c32f9273100009b"
I then contacted Carmelo. And let him know that my personal bank account had been hit for $1,000 dollars. On BTCLendtalk a thread had been created
https://btclendtalk.org/topic/251/coinbase-hacked where a user had mentioned himself and another person had the same 4 btc taken from their coinbase via the API.
Carmelo then promised to pay me back, but not until the following Friday June 5th. In the meantime, My house payment was due June 1 and the payment had already been sent/authorized. My car payment was due June 1 and had already been sent/authorized.
His initial response was to tell me that Coinbase had been hacked and that he was covering his customers because it was the right thing to do.
"Just so you know, The Coinbase hack was not only on BTCLend customers. We just went ahead and covered our customers because its the right thing to do. Good Luck."
I reached out to Coinbase using my existing ticket related to this incident as I hadn't heard anything regarding Coinbase being comprimised: Thje response from Coinbase support closed with this:
"The unauthorized transactions were created using only the API key which you affirmed was used for BTCLend. Whomever created these transactions required access to the API key, and at this time we have no indications that our customers API keys are vulnerable."