Can a hacker cover their tracks in "Recently Used Devices"?

I just handled a situation with a long-time user on my Discourse forum whose account was used by an impersonator in a failed attempt to scam other forum users. The real owner of the account reset their password and is back in control. But I can’t figure out why they have only one location and device listed under Recently Used Devices. I suppose the user’s devices and/or network could be compromised by somebody who is using their connection remotely, but frankly that seems like an extremely elaborate method with relatively small gain potential in the context of my random forum. The user admitted that they might have used a weak and/or non-unique password, and their email address is on a few HaveIbeenPwned lists.

It looks like sessions that get logged out from that interface completely disappear from the list, but you can’t log out the currently active session from there. The owner of the account told me that there was another unrecognized device and location in their Recently Used Devices when they noticed the fake posts with their account, but they did not click the “Log Out” button on that device, and then they panicked a bit and quickly reset their password. So I don’t understand why that device/location is no longer visible in Recently Used Devices?