Currently, if a user doesn't have an account and tries to reset their password, they will not get an email. We also don't let the user know whether the account exists or not. This can be a confusing experience.
Originally, I think we were trying to offer some measure of security by obscuring whether the address had an account. However, I'm not sure I believe this is actually a security win since you could still check existence of an address from the account creation form.
Currently, if a user doesn't have an account and tries to reset their password, they will not get an email. We also don't let the user know whether the account exists or not. This can be a confusing experience.
Originally, I think we were trying to offer some measure of security by obscuring whether the address had an account. However, I'm not sure I believe this is actually a security win since you could still check existence of an address from the account creation form.
Perhaps we should just let the users know.