A user left the company and then returned a year later. Rather than reactivate her existing account, we created a new user ID with the same email address as the old one. When the user tried to log in remotely and used the "forgot password" link to reset her password, the system reset the inactive account rather than the active account. As a result, the user was not able to log in because the account was inactive. To mitigate, I have changed the email address in the inactive account. However, the system should be modified so password reset requests only look at active accounts not inactive accounts.