• Try to log in to my ISP’s website. “Username not found.”
• Try the password reset link and put in the username just to see what happens. “Password reset email sent.”
• Email turns up. Click the link. Type a password. “Password reset successfully.”
• Try to log in to my ISP’s website. “Username not found.”

Edit: to be clear, I didn’t put in my email address, I only put in the username. The system looked up the username and found the email address by itself.

When my phone’s barcode reader app sees a web link, it fetches the page’s title to display next to the actual link. So it is going to that web server and fetching resources by itself. Even though it isn’t actually rendering the page and running javascript, it might be exploitable.