Hackernews made me realize manual recovery should never be a thing. My first account was taken over by a scammer even with a unique password. I suspect the admins of this site 'manually recovered' my account and gave it to them.
The last message of my first account, areallygoodname, is spam. I couldn't be bothered getting the admins to recover it back. I just took the lesson that hackernews is really insecure due to allowing manual recovery.
At the end of the day, you either have onerous procedures to recover an account--notarized signatures and the like--or you just don't allow it at all. Or there's always going to be some susceptibility to sophisticated social engineering.
The last message of my first account, areallygoodname, is spam. I couldn't be bothered getting the admins to recover it back. I just took the lesson that hackernews is really insecure due to allowing manual recovery.