> The first proper zero auth password reset I've seen in production.

In 2011 Dropbox briefly had an even easier "zero auth exploit". For a couple hours if you typed in any email on the login page, password checking was skipped and you could login to any account. Albeit, you still couldn't reset the user password, just login.

https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...