On April 26th, we detected an internal problem with the generation of the 21 characters. 2 out of the 3 random functions that we use in the code were not generating an authentic random sequence. It was possible to request a password change for a customer ID,
and then find the "unique" URL emailed to the customer by brute force. The problem was found by an internal developer on April 26th at 11:03:14 and it was fixed at 12:54:13. The cause of the problem was linked to the rand function used in this part of the code. It was not patched to the same extent as the rest of the code at the time of activating the script execution cache. We have replaced the old function of 3 sequences to generate 21 characters with 2 authentic random functions to generate 64 characters.