You would think a "Forgot Email" feature would be simple to implement, a feature to send an email to an account by providing the username

And it can be, but a feature like this has several vectors that are ripe for abuse

Some examples:
- Credential stuffing
- Targeted account takeovers
- Email quota overage
- Account state exfiltration

Our mitigations:
- IP address rate limits (10/1440 mins)
- Once per account for 24h
- Email quota (no overages)
- Random timing delays
- General error messages