I think when the hide_email_address_taken site setting is enabled, you can only reset the password by entering the email address. In this case, knowing the username no longer helps. This setting was recently enabled by default. If it isn’t already enabled, enabling it could be helpful to prevent the resets.
4 Likes