devtrackers.gg
I posted this in the other post on the sub about this news post as I didn't see this sticky, but I'll repeat it here:
It has taken over a week and a half to come out with a statement that says "No accounts were compromised".
That's great, but the main concern people had was not that anyone had been compromised, it was that users could not be receiving these recovery emails without someone knowing their email address or login username.
This post doesn't address how a malicious actor may have had a list of these emails/usernames at all. It doesn't give any indication whether the password requests actually were even being sent from what seems like a list or whether someone was just randomly trying different character combinations (which I doubt given the obscurity of some emails and usernames).
It doesn't provide any information about whether this was just one person, or a more sophisticated attack with multiple machines/IPs sending the requests at once.
Frankly, this post - in its current form - could've been made on the day that this was reported to Jagex.
Transparency is key.