Just upgraded from 13.x to 15.x over the 4th. I just had 2 of my clients email accounts get hacked and spammers send spam from them. Using the new password reset system. I generated temporary passwords for both accounts. (Different domains) and promptly nuked all mail in the queue from the users. I was just alerted to more spamming from the SAME accounts. My clients haven't even logged in to change the passwords yet.. So how the heck did they log back in?