Yeah, my first thought was make every attempt acquire some per user lock with a timeout. It's pretty much the same thing. Either one would have a negligible effect on legitimate requests and would solve the problem.
He didn't really explain it, but I think what was going on is the rate limiting is done per account, and the race condition was a way to circumvent that. He has to make all the requests very quickly because the first thing all the requests are doing is determining if new requests for this account should be ignored. All the requests are received around the same time, they all make this check and decide they are valid requests, then they all report that an attempt was made for that account (locking it).
The rate limiting for IPs is probably global (not related to the reset endpoint).