No, it sounds like coinbase used email recovery, but his email provider used SMS recovery.
So the hacker only needed to hijack his SMS.... with that, they gained access to his email, and then with that gained access to coinbase. No password required.
So the hacker only needed to hijack his SMS.... with that, they gained access to his email, and then with that gained access to coinbase. No password required.