As you all guessed, I'm not using two-factor authentication / yubikey.
Did you mean to say you weren't or that you still aren't?
Because unless you can say with certainty that you aren't using a machine that has been compromised, then even after changing your password your remaining coins are no safer now than before. Get 2FA. If you don't have a smartphone or other second device that can run it then move the funds to an EWallet that uses SMS-based 2FA.