Yeah they did. They added his email as a secondary email to a Google Workspace user account, with the plus-address-suffix including a "Case ID". Then they reset the password of the user account, triggering this notification.