A keepass password should be prohibitively hard to brute force that way. They're random and fairly long. It's far more likely the attacker found some other route.

Recovery passwords for email accounts are actually kind of tricky, since the standard is generally recover-password-through-proof-of-control-of-email-account.

You can do SMS, but then you need phone numbers for users. Requiring "alternate email" is kind of a nightmare.

I wish someone could build a "account recovery as a service", with different levels of escalation. It would be fun to spec it out, but I have no time to actually set it up, since it's more a business vs. just some servers.