Basically, the authentification process needed to change an account password could be bypassed by... simply ignoring it. Clicking "continue" without entering the password change verification code offered express access to the user's account.

Oops!