Currently emails can be leaked by requesting a password reset. It is possible to throw emails at the software and see which emails have accounts and which ones don’t, without having access to said emails. This is extremely dangerous.

Do not leak emails on password reset

awesomerobot (Kris) January 14, 2021, 9:44pm 2

This is not a bug. We have a site setting called hide email address taken that prevents it.

There are also rate-limits on sign in so it’s not particularly easy to brute force large numbers of email addresses.

5 Likes

Email enumeration vulnerability on "Password Reset" dialogue

Topic		Replies	Views
Password reset confirm message should discourage social engineering feature	7	1403	August 4, 2023
Can we pass an email address to /password-reset? feature docs-welcome	3	691	September 12, 2017
Getting the user’s reset password link? support	2	803	October 17, 2020
Password reset email leads to "Oops! That page doesn’t exist or is private." support	3	569	September 30, 2021
Manual Password Reset feature	3	2403	April 4, 2018