You do not need to run 80 reconnaissance tools to get access to user accounts
Information Disclosure
An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked.
https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781