If the message verifies successfully, you are redirect to a set a new password page
That creates another angle of attack: people lose (or even sell) private keys, which would give someone access to their account.
But if someone sells his own private key, or loses it, this is entirely his fault.
This is different from a hacked account, which is a lot more unsafe.
As a private key can be stored 100% offline.