You could try stealing theirs. Surely, one of the forgot-password flows must use the recovery email.