So, if I got access to your gmail account
I think that this is the most important point. And my logic was that "only" some 6k had the same password at Coinbase as for their email.
The rest... yes, you're right. Coinbase simply didn't care to make it better/proper... or pay for auditing what "Bob in security" did there.
No, what I was saying was that if Bob screwed up, and you had google voice (once again picking on them could be many other providers) I did not even NEED your Coinbase password.
1) I get access to your email
2) I see you have a coinbase account
3) I see that text messages are coming into your email.
4) I send a password reset request, it sends a text to your email, which I am reading. I then can reset your password and go on my way with your money.
This is why what @o_e_l_e_o pointed out here is 1000% correct for so many reasons.
https://bitcointalk.org/index.php?topic=5363669.msg58083653#msg58083653 SMS is not AND NEVER WILL BE SECURE. And adding
Using a SMS to email or other gateway is even less secure then totally not secure.-Dave