The password recovery does not change the password. It adds a new tempory password which also works for login.
All your users can login using their existing password. Nothing gets changed.
The email they receive even says "If you did not request this, please ignore this message.".
So it's designed so that's not possible.
Tell them all just to ignore the emails and login normally.