[tablethnuser]

You will get automated emails alerting you to ppl trying to access your account even if they don't have the credentials. E.g. they got my PSN info from a breach and tried to use it to log into steam or battle.net. Sometimes they will even start the password reset flow but I have no idea why.

I rarely go through these flows myself so I don't know what they reveal or are capable of. I'd rather be anonymous

[WorldMaker]

Some of the reset flows leak email address information (or worse case entire email addresses) in the "We sent an email to you" descriptions, and some of them leak 2FA/MFA metadata such as 1) if 2FA is on for an account at all, 2) if 2FA is TOTP based or SMS based. (Depending on how the reset flow was coded to handle 2FA/MFA, since a lot of sites bolted in 2FA/MFA way after they built their password reset flows originally.)

A lot of the cases where a reset flow was initiated, the real goal seems to be to get email or SMS access. (IE, you may want to check your email provider for failed login attempts after a reset flow email.) Sometimes it is useful to check those flows yourself for such leaks and report it to site owners. (Though my experience so far, many of them seem nonplussed about it more often than not.)

Some of the reset flow emails at this point aren't even real, they are increasingly elaborate spear phishing schemes to get you to worry about your account security enough that you might follow a link directly from the email (to a phishing login) to "report that you did not request a reset" in some way or another.

Also, I'm sure some of them are initiated just for graffiti/broken-windows/anxiety-creation reasons. They want you to know they were trying to get your account.

ETA: Also, initiating password recovery flows can be a step in trying to social engineer access from a customer service rep. ("I started the recovery process, but never got the email." "Yes, I can see that you started the process, let me see what I can do...")