[chinathrow]

3. Established procedure was not followed

Wouldn't it make sense that support staff can only generate and send out password reset mails if the PIN/password has been entered into a form? I don't know the term for this - like "coded procedure".

In this case, the support staff wouldn't even needed to be trusted in the first case.

[vblord]

This is a great point. The software should be modified to not allow the employee to even make any modifications to the account without the correct credentials.

[matthewdrussell]

Agreed, and we're looking to improve this area too.