are you using password encryption? or is the password stored in plain text?
the link in the email should not be pointing the userupdate page, it should be pointing to the forgot password page.
change the following line:
"returnURL" => "userupdate.php",
"returnURL" => "forgotpassword.php",