The tokens that WordPress uses in its Reset Password emails is not very secure and there is a possibility that it can be reverse engineered by a malicious user. I just scanned my logs for the last week and there were no attempts on my sites. I expect we will soon see brute force attempts similar to the password guessing robots that I have been seeing.
I wrote a plugin (stop spammers add-on) to detect these types of hits, but without an active bad agent to test it, I don’t know if it is useful. If a robot does appear trying to guess the token, I will be ready.