First of all, let’s be 100% rock solid clear that we already say
if an account exists for firstname.lastname@example.org we will send a password recovery email.
paraphrasing here, but you see what I mean. We confirm the typing of the email that the user told us they think has an account, by simply echoing it back to them.
I don’t think sending an email to completely unknown users on the premise that it is a user who has forgotten which email they used is “pretty standard behavior” – this is really hard to get right, which is why very few services even try to do it. I dare say it’s actually rather risky.
To test this hypothesis, do this:
- Go to any website on the web that you are definitely not a member of. Let’s call it
- Imagine that you have an imaginary account there (you don’t, but you think you do).
- Now enter your email address in the password recovery form
Do you get an email form that says
Ooops! Someone thinks email@example.com has an account on zombo.com. We have no record of such an account. If this is not you, you can safely ignore this email.
I’d wager on 9 out of 10 (or more) websites you tried to do that on, you would NOT get this email.
I just did this on nytimes.com for example and I got:
We’ve sent an email to firstname.lastname@example.org. If this is not the email address associated with your account, click here to resubmit the “Reset Your Password” request with the correct email address.
I have no account, and I used my real email address. No actual email arrived at my account…