Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required
This would have been my guess also, but from the history it says:
* 2014-02-22 19:56:08 109.163.234.9 Logged in using two-factor authentication
109.163.234.9 is a TOR relay, so it seems it was the hacker that did a full logon from TOR using 2FA (also it is the same address that withdraws the BTC).
The most likely option then is that they have access to (atleast) your phone.
I think the reason the hacker changed the password was so you would not log on yourself and change the password in case you saw the withdrawal email. He then changed it back to cover his tracks, just in case you would not notice.
* Did he delete the confirmation emails bitstamp sent from your email?
* You should make a list of all ip addresses the hackers used and confirm that they are TOR relays on
https://metrics.torproject.org/relay-search.htmlNot likely, but the hacker might have made a mistake somewhere in not using TOR.
* It would be interesting if you could export a list from your Android phone of all the applications installed and post it here, especially those installed just (1-2 weeks) before the hack.