A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process. The bug has been fixed with this patch, and as mentioned above, we have implemented a number of preventive security measures to protect customers.

Struggling to figure out what the heck they did. Some kind of injection attack to send the email to an arbitrary account? How would you even mess that up in the first place