[truculent]

> Unfortunately this assumes that there's no other way for an attacker to discover whether a username/email address is registered for a service. This assumption is incorrect.

> 99.9% of websites on the Internet will only let you create one account for each email address. So if you want to see if an email address has an account, try signing up for a new account with the same email address.

This point is undermined by the sign-up workflow informing of whether an account is registered under a given username.

[hutrdvnj]

That depends on the sign-up workflow. It is possible to not provide the information "user already exist" on sign-up and instead just say "we sent you an email, please confirm". In this scenario a potential attacker who just wants to check for existing email addresses has no access to the email addresses he wants to check.

The contents of the email could be something like "Hey you just tried to register with this email address, but we already have an existing account with this email address ... Was that you? ... Maybe you have forgotten got your password?"