In trying to help my transferred member figure out how to reset (orYeah, there's basically no defense for this one. Forwarding a password reset link is in its way worse than posting your password - because the reset not only gives the stranger access, but also locks you out.
I am now in an offlist pow-wow with the two of them, trying to figureI read in other messages that they have it straightened out. So that's good.
However, even if the second member couldn't be reached, or couldn't remember what the new password was, the original member can to go to the site and click for a new Password Reset. That she could do without being able to sign in (that being the time you _need_ a password reset).
And this time don't forward the email to anyone!