This is why the bigger you are, the more important it is to log almost everything that you can... It sucks from one side, because it is a security risk to log potentially sensitive information, on the other hand it's critical to be able to diagnose problems in the wild.
In this case, if requests for password resets are logging the codes sent (even if the error is present), they would be able to determine which accounts were affected, and return them to the appropriate registered email address (if they were changed).
On the one hand, the storage and compute costs for these kinds of things suck.. but this is exactly what big table solutions are for, be they C*, ElasticSearch, Google, Azure or AWS table storage solutions. If you have more than 10K users on your system, and logging everything possible isn't routine, it should be.
Access to read that log data is another issue entirely.
In this case, if requests for password resets are logging the codes sent (even if the error is present), they would be able to determine which accounts were affected, and return them to the appropriate registered email address (if they were changed).
On the one hand, the storage and compute costs for these kinds of things suck.. but this is exactly what big table solutions are for, be they C*, ElasticSearch, Google, Azure or AWS table storage solutions. If you have more than 10K users on your system, and logging everything possible isn't routine, it should be.
Access to read that log data is another issue entirely.