We already know Coinbase sell user data to third parties, but I think this is unlikely. Selling a name and associated bitcoin addresses is one thing; selling passwords is another.
No. Coinbase itself won't sell passwords. But there's a chance an employee (or ex employee) could have done that.
Database hacks and leaks from other companies.
https://haveibeenpwned.com/Passwords has 600 million accounts and passwords in their database. Too many people use the same password across multiple (or even all!) accounts.
Wow, I didn't know the number became
that big.
However, if it would have gone on this path, I'd expect some of other exchanges' customers have the same problem - at least those with no 2FA set.
Of course, we can only speculate on where the hacker got from the e-mail passwords. Some still keep an awfully lot of useless mails and sensitive data in their mailboxes, but scanning so many mailboxes to find out whether they're Coinbase customers or not may not be a small job (of course, it can be automated for some of the servers).