Hope you are good!
Steps to repro: 1) Create a HackerOne account having email address "email@example.com". 2) Now Logout and ask for password reset link. Don't use the password reset link. 3) Login using the same password back and update your email address to "firstname.lastname@example.org" and verify the same. 4) Now logout and use the password reset link which was mailed to "email@example.com" in step 2. 5) Password will be changed.
All previous password reset links should automatically expire once a user changes his email address. Please let me know if this can be fixed.
Best Regards Anand Prakash