E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.
This. So much this.
So many people don't realize that nearly every email they send bounces around the internet completely unencrypted in plaintext for hackers to read.
If your password protecting your blockchain.info wallet was weak, then a hacker could capture it as it travels from blockchain.info to Google, and then check it against a rainbow table. The 2 factor is only for logging into the website to receive the encrypted wallet. Once they've got the wallet, they don't need the 2FA at all.
My best guess would be a password that exists in a rainbow table, but I suppose there are other possibilities.
Virus scans came up pretty clean ... one trojan Troj/JSRedir-BV
However, I did look back in my email history. My last wallet backup was May 28th.
Also, I did get a few "Authorize log-in attempt" warnings emailed to me on July 15th and July 4th.
"An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:
Time: 2013-07-15 07:55:45
IP Address: 87.118.91.140 (Germany)
User Agent: Mozilla/5.0 "
The location does appear to match the location on the transaction in blockchain.info:
https://blockchain.info/tx/1174e27cd6de043ec081a68b52f455ba1548f35949c2ba2ddd3abc60f5a29840I ignored the warning at the time, since I had 2FA on.
The stolen coins have now been moved.
https://blockchain.info/address/15B9RyqJGrJcqKmyMr8QUEocif9ATYuXBP