[rosswilson]

Exposing whether an account exists is a risk, but the alternative is also a hard problem to solve. Sign In screens could throw a generic error that doesn’t reveal whether it was the email address or password that was incorrect, but what about registration flows?

If users can sign up and register to your system, it’s harder to offer a slick user flow without revealing that an account already exists. One way to achieve this is to only capture the user’s email address, send them an email, and they complete the rest of the sign up process as a second stage. A user who already has an account gets sent an email stating that an account already exists.

As a business I assume they’ve decided that the risk of exposing whether an account exists was worth it in exchange for a better user experience.

[gitgud]

Thanks for the explanation. But I would think a generic error would be more secure, as it reveals less information. It's also what most systems implement.

Yes, the signup flow is an important part of any system, I think an ideal solution is make the feedback of wheather an account exists much longer. So they need to fill in a registration form, before they get feedback on wheather the email exists.

Anyway, in the end I guess it's a UX decision with trade-offs either way.