coinbase is certainly one of the most concerning on that list- however they also support 2 factor authentication.

If you captured the right cookies though, you wouldn't need to log in with a password and be subject to OTP. That's why this is so problematic. Caveat: I haven't actually checked the details of Coinbase's session/security tokens.

This is true- but I'd assume all of these sites have flushed their session/cookie data by now.