I have a custom domain with a site-specific email. No 2 sites have the same email address.
I have not seen any activity using that 'hacker-news' account.
Not saying your experience isn't accurate, providing one additional datapoint for analysis.
I think that what the user implies here is that the email address (rather than the password) was leaked. Maybe the password was just weak. But there’s not enough evidence.
But the account is from Jan 2013. Maybe not bcrypt yet. If password was never changed, is there a chance that the used algorithm was weak and crackable, and so in the event of a leak this could actually be a problem?
I'd say the possibility of your own computer having a virus infection, or your login credentials leaking some other way, is far more likely than assuming "HN might be hacked."
I'd make sure that it was a legitimate alert by going to (https://myaccount.google.com/security) because there's tons of fake alerts going around, a lot looking quite legitimate. Was the first thing that almost caught me in years.
