little confusion here, the new password is sent by email, but only activated if the user validates the change by clicking on the link in the email. so as long as the hacker didn't get access to the user email, he can't change the password. If any password is sent over email, it must immediately be ...