Uh... One part of it is not returning password reset tokens in the browser. If you know remotely anything about web security this is the most glaring security flaw you could ever encounter.
Other steps are nice to think about, but ensuring basic security measures would preempt 99% of data breaches and "hacks".
The most appalling part is that this was a dedicated endpoint, named "password-reset". This wasn't some negligent leak, some misconfigured logger. It was done this way on purpose. Somebody thought this was a good idea. And nobody else saw it and thought to question it! It reveals gross institutional incompetence that probably should have been filtered out at the hiring stage.
The token should only be accessible to the user requesting the password reset, meaning that it would be sent via email (this is the standard password reset flow).
The flaw here is that anyone, even if they did not control the email of the user, could reset the password, because the reset token was returned in the browser, where anyone could see it. Essentially, just by knowing someone's email (not having control over it), you could reset their password.
It should’ve been sent via email to the registered email address. That lets the account owner reject it (I didn’t request a password reset!) or use it.
Yeah, in this particular case, they were just glaringly stupid.
Just gaming out ideas in my head. I have friends from rather more repressive countries, namely China, where being gay is still a grey area in terms of legality and acceptance, and I’m just thinking of better ways to structure a system.
Other steps are nice to think about, but ensuring basic security measures would preempt 99% of data breaches and "hacks".