The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.
Why don't we have confirmation email before the password can be changed?
I don't know why this step of confirming is just bypassed, which it's too important because once a hacker login into your account, you will be 100% hacked without any verification with the email. I hope that, theymos will consider this step as soon as possible.