I have updated the bug title and description to include what I stated on comment #1, which goes beyond than just using the self-service password API for the attack.
I have updated the bug title and description to include what I stated on comment #1, which goes beyond than just using the self-service password API for the attack.