The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.