Currently emails can be leaked by requesting a password reset. It is possible to throw emails at the software and see which emails have accounts and which ones don’t, without having access to said emails. This is extremely dangerous.
This is not a bug. We have a site setting called
hide email address taken that prevents it.
There are also rate-limits on sign in so it’s not particularly easy to brute force large numbers of email addresses.
That should not be behind a setting…
It’s a trade-off between usability and security (lots of things are). It’s common for people to be frustrated by trying to log in with the wrong email address, and letting them know it doesn’t exist can help. For sites that need the extra security, the option is there.
We’ve got other measures in place to reduce the risk and haven’t encountered significant problems with it across hundreds of Discourse sites.