Some web services invalidate existing auth tokens as soon as a valid email address is used in the password recovery flow rather than when the email link is clicked. You can use this for a mildly inconvenient denial of service attack.