Chirper's password reset uses a short numeric token sent by email. The endpoint has no rate limiting — enumerate the token and take over any account.
