We noticed that when user's login is expired, often several credential recoverys are created in a short time.
It's because new created credential recovery is not indexed at this monent, thus query catalog to count credential recovery is not enough.
We should also check if it has pending activity