An issue has been identified on the mailing list
Essentially the table that stores user passwords is storing duplicate
entries. So if you have a policy that mandates that a user can only change
to his/her original password after say 8 resets, then the user will be able
to do so in 5 instead.