Your Customers and Their Secrets
Unfortunately, these cost-saving password reset features have opened up new vectors for attack. Why would an attacker spend hours or days trying to find a software hole when he/she can simply reset all user passwords? Password reset services are quickly becoming the easiest way to gain access to customer data. These reset features, when not implemented correctly, are the simplest and quickest backdoor for the enumeration and unauthorized access of customer accounts.