1. The number should be a strong cryptographic digest of the request id and salt, so that changing a few number won't work and failed attempts are logged with their client IP address.
2. A password reset page should never show any more than the user name/id.
3. The business may be in breach of the data protection act for showing other users personal details!
Biting the hand that feeds IT
