[uxp]

I didn't think that it was an option, but I did check. You are right. Of the three checkbox options, notifying the recipient of a share invitation is the only one checked by default.

Either way, my main point stands. This isn't a major privacy issue. Though, I've always been taught that when developing an authentication mechanism, one should not distinguish between a bad password or bad email address/user name in the error message provided to the user. Specifically the latter, since a "Invalid password supplied for John Doe" gives confirmation that the username provided is valid, and a bruteforce or dictionary attack on the name will probably successful.