Yeah but these days, if someone sets up mobile verification or 2FA, it's not going to be that easy going through forgot password links. Codes will just be sent to a mobile phone or a recovery address that most likely won't be seen and it'll force the individual wanting access to go the route of hacking means.