[koeselitz]

It's funny, because I don't think you're being paranoid - but note that almost every site is in exactly the same boat on this. It doesn't really matter that most of them don't send your username & password to you in an email; most of them do allow you to get your username and reset your password using only email verification. So even if your username/password wasn't sent in an email, someone who has access to your email can get them.

I think that's a risk, but it's hard to see another way to do it; people forget passwords, unfortunately. It's a fact of life.

[luxative]

I think mentioning the username and email ID is a lot more preferable - and safer. I'm not as concerned about my email getting hacked (in which case, I have bigger problems) than my password being up there in plain text. Most of us sign up for more things than we can remember individual passwords for; many of us probably use a set of few passwords across sites - with our own rules for what's used where. The fact that any person can assume a reasonable degree of password reuse and try my password on (say) Gmail, etc is very disturbing.