Either somebody from inside has sold users' data to a malicious 3rd party
We already know Coinbase sell user data to third parties, but I think this is unlikely. Selling a name and associated bitcoin addresses is one thing; selling passwords is another.
So, if I got access to your gmail account (picking on them I am sure there are others that have linked email and phone numbers) and you had your SMS access /recovery phone number set to the google voice number that was linked to that account. Well, it's all over for you.
This of course makes it incredibly easy, but even just access to your email account is enough even if your SMS is linked to your phone. I get in to your email account - somewhere in your inbox or your outbox I'll probably be able to find your phone number, your address, your date of birth. Maybe you've got some electronic bank statements, rental agreements, car finance, etc., where I can get even more info about your, like your SSN. That's probably enough info for me to convince your carrier that I am you and transfer your phone number to my device and start receiving all your SMS messages.
I agree 100% on this. But where would the hacker get from 6k email addresses and their passwords too?
Database hacks and leaks from other companies.
https://haveibeenpwned.com/Passwords has 600 million accounts and passwords in their database. Too many people use the same password across multiple (or even all!) accounts.