I was talking with
Isaac last night and he made a good observation, it's possible that there could have been a server hiccup (aka the page wasn't loaded) and an impatient user could have hit the refresh button during a page load of the forgot password system, which could also result in multiple messages being sent to the user as well (though, the mail log should be able to tell us how many messages where actually sent to a user, what IP address requested the new password link, and with the IP you can see if it was any of your legit users by comparing via the member management tool in the CP).