Different password reset for wrong username/email

To be clear, what are we going to do when someone signs up with an email that has already been taken?

  • Like Hipchat: respond as if the signup was successful and send an email to the email address suggesting they change their password.
  • Respond as if the signup was successful and do nothing.
  • Show another error. “Signup is not allowed from this account” (which is also a clue that the email is recognized for some reason)

We currently indicate the email is already taken.

Primary email has already been taken

For when the “xxxtra email security” site setting is enabled, I like the hipchat approach otherwise, and I think it’s smart. Via email to the specified email address:

Title: Account already exists at {site}

You just tried to create an account at {site}. However, an account already exists for name@example.com.

  • If you forgot your password, reset it now.

  • If you didn’t try to create an account for name@example.com, don’t worry – you can safely ignore this message.

If you have any questions, contact our friendly staff.


This is partially done, except the “account created” page doesn’t show these two buttons:

The absence of these buttons is a clue, so they should probably be faked too.

The setting is renamed to hide email address taken.

And while I’m at it, this form is also not covered by this setting:


Any ideas on those two places @michaeld?

I added support to the change email form in user preferences. It will respond as if it was successful, and send the email to the owner of the other account.

You just tried to create an account at Localhost Discourse, or tried to change the email of an account to doggy@woof.com. However, an account already exists for doggy@woof.com.


Closed in favour of Email enumeration vulnerability on "Password Reset" dialogue