Password reset links should expire after being used, instead of at specific time

Hi, Hope you are good! Steps to repro: 1) Create an account having any email address like "[email protected]". 2) Now Logout and ask for password reset link. Don't use the password reset link sent to your mail address. 3) Login using the same password back and update your email address to "[email protected]" and verify the same. Remove "[email protected]". 4) Now logout and use the password reset link which was mailed to "[email protected]" in step 2. 5) Password will be changed. Fix: All previous password reset links should automatically expire once a user changes his email address. So below is the attack scenario: 1) My email account is compromised. Attacker asks for password reset link for my account. 2) I got to know, I change my email address on my account. I now assume i am safe. 3) But the hacker can still use the old password reset links (which he had never used for single time) which were sent to my old email address. 4) My account is now compromised again. Please let me know if you need any other information and thanks again for looking into this. Please fix this. Best Regards Piyush kumar