Isn’t the point of vulnerability in the initial account creation? The witness that creates accounts sent the keys out via email. That email containing the keys may still be in their sent folder.
Normally this can be done offline with most cryptos, but not the case with HIVE.
RE: Hive Security 2023: Using Multiple Wallets