I think the idea is to highlight the bad security practices that allow this in hopes that these companies patch these holes (in this case reduce leaked data in the password reset process).
A GREAT example of this was when Firesheep forced Facebook (and countless other sites) into embracing https. Firesheep was a firefox plugin that anyone could run on a public wifi (e.g. coffee shop) and instantly start getting the passwords of anyone on the same network that logged in to anything over http. At the time Facebook was http by default. So, it made the news and forced Facebook to make https required basically overnight. Many other companies followed suit, and it's likely fair to say that the release of that plugin single-handedly accelerated https adoption by a considerable margin.
I don't know that this release will be that impactful, but its certainly better than having this be a technique that only black hats know about.
A GREAT example of this was when Firesheep forced Facebook (and countless other sites) into embracing https. Firesheep was a firefox plugin that anyone could run on a public wifi (e.g. coffee shop) and instantly start getting the passwords of anyone on the same network that logged in to anything over http. At the time Facebook was http by default. So, it made the news and forced Facebook to make https required basically overnight. Many other companies followed suit, and it's likely fair to say that the release of that plugin single-handedly accelerated https adoption by a considerable margin.
I don't know that this release will be that impactful, but its certainly better than having this be a technique that only black hats know about.