It’s frustrating but it does give information to attackers. If an attacker just sees the login attempt was rejected, then they have no idea if it was because the password changed, the user entered it wrong in the phishing form, the user realized it was a phishing attempt and gave garbage to fuck with them, the password expired, or if the service provider is on to them.
If an attacker sees “your password has been reset and you must set a new one” then they have some information that could be used to social engineer their way into the account. Especially if it’s a work account where the email is behind the same password.
It’s frustrating but it does give information to attackers. If an attacker just sees the login attempt was rejected, then they have no idea if it was because the password changed, the user entered it wrong in the phishing form, the user realized it was a phishing attempt and gave garbage to fuck with them, the password expired, or if the service provider is on to them.
If an attacker sees “your password has been reset and you must set a new one” then they have some information that could be used to social engineer their way into the account. Especially if it’s a work account where the email is behind the same password.