|
|
|
|
|
|
by Nextgrid
2090 days ago
|
|
|
A good password reset page would not disclose such a fact (it would return a successful response with a message "if this email exists, we'll email you" regardless of whether it actually exists) however attempting to create an account would disclose that fact by rejecting an account creation attempt with an existing email, unless they use emails purely as communication channels and accounts are uniquely identified by username/account number instead. |
|
|
They can tell the user to await an e-mail from them with the confirmation link. Then if the e-mail address is already in use, send an e-mail saying, "somebody, probably you, tried to register as <new-username> on <site> but we have you down as <old-username> already". Otherwise, send a normal confirmation link.