Even if this is the case, it doesn't excuse the way their password reset system exposes the users email. This is security basics, and it's an absolute failure.