They don’t mention any, so this is the most positive sounding but still truthful position they can take.
Best I can think of is geolocating IPs of the reset requests and then seeing if the real owner (near original location) does a second reset later to take the account back, but that’s not convincing especially if you know where the account you’re targeting lives and went through a VPN in the same city to match.
They are supposed to be the experts (in the eyes of non-technical people) and if you don't have the skills to understand how the attack works it's reasonable (or at least used to be reasonable) to consider that the risk is minimal if "experts" do not believe it's bad.
This response lures their users into a false sense of security.
They don’t mention any, so this is the most positive sounding but still truthful position they can take.
Best I can think of is geolocating IPs of the reset requests and then seeing if the real owner (near original location) does a second reset later to take the account back, but that’s not convincing especially if you know where the account you’re targeting lives and went through a VPN in the same city to match.