@Abhishek8298 identified that password resets performed via a logged-in user’s profile page were not rate limited. This could allow an attacker that had compromised a user’s session to brute force the users’s password. While low risk, we remediated this issue by limiting the rate at which password reset requests could be sent.