Thanks bro! Okay what I have generally noticed is that people only like to signup using their phone numbers if they don't have any other options. So the amount of email sign ups were greater than phone numbers. When I encountered an account that had both email and phone number verified, the server prompted user to choose their desired option to receive the link. On many websites, a phone password reset is usually you receive a code and you enter the code and server response is enter new password... You know the drill. In this case, no code was sent instead a link was sent to my phone number like how you usually receive one when you enter your email address. That part was new. So as part of my bug mitigation, they have implemented a 7 digit code verification for phone number password resets. So if you reset using your email, no token leak but if you use phone number there's a leak. So I guess somebody found email one but forgot to check for phone number