Currently emails can be leaked by requesting a password reset. It is possible to throw emails at the software and see which emails have accounts and which ones don’t, without having access to said emails. This is extremely dangerous.

パスワードリセット時のメール漏洩にご注意ください

awesomerobot (Kris) 2021 年 1 月 14 日午後 9:44 2

This is not a bug. We have a site setting called hide email address taken that prevents it.

There are also rate-limits on sign in so it’s not particularly easy to brute force large numbers of email addresses.

「いいね！」 5

Email enumeration vulnerability on "Password Reset" dialogue

トピック		返信	表示
Email enumeration vulnerability on "Password Reset" dialogue UX	19	3656	2024 年 12 月 19 日
Hiding "e-mail taken" on sign-up by default Announcements	6	192	2024 年 12 月 22 日
Password reset confirm message should discourage social engineering Feature	7	1518	2023 年 8 月 4 日
Received password reset email though I didn’t request one? Support	15	5498	2023 年 11 月 28 日
Different password reset for wrong username/email Feature	65	27788	2023 年 8 月 4 日