Our Drupal 7.27 site has about 300k users. We do not use any session/login-modifications like SSO etc.
A colleague of mine reported to me yesterday that he was logged into another user's account after he had used the password recovery function (he supplied a screenshot to me which clearly shows that he's correct). He logged out and logged in again. This time he was correctly logged into his own account. We've not been able to reproduce the issue nor have there been any reports from our users. We've updated/added the following modules recently (all at newest version): Zen Theme, Flag Module, External Links Module.

Only the flag module interferes with the session/user-management.