EA forces password reset but tokens don't expire after use.
In response to the LulzSec password leak, EA forces a password reset for everyone. However, the token doesn't expire after it is used.
A screenshot of the email with the token removed of course. http://min.us/mvfYihP
Sweet.
edit: updated title to reflect that they may expire after a certain time, but not after use. This also raises the question, what happens if they expire but you don't use the link before the token time expires? Yeah, I ran into the same thing. There was no way to force it to no longer be valid, even creating a new forgot PW request left the old link active.