Do not leak emails on password reset

This is not a bug. We have a site setting called hide email address taken that prevents it.

There are also rate-limits on sign in so it’s not particularly easy to brute force large numbers of email addresses.

5 Likes