Best practice would be to display this message no matter whether the email address is correct or not, to avoid leaking information. Many sites do this.
The GP is talking about a situation where you are not asked for an email address. You ask for a password reset for the username @coolanonguy. The website tells you that the reset email was sent to an obscured email address. The obscured email allows you to confirm (with high likelihood) or deny (with certainty) that @coolanonguy is your friend whose email address you know.
on the systems where i had to do this for my account i usually get a message like: "an email has been sent to the address registered with this account"
The benefit is that people often don't remember which email they used for a service. They check their "main" email inbox but don't remember that they used their student email address 8 years ago when they signed up. By providing a hint they know which inbox to check and don't get frustrated because the email isn't coming.
So it is a privacy tradeoff for better UX. If it is a good tradeoff will depend on how much you value each.
I have many email addresses. I don't necessarily know which email address is associated with my account. Therefore, the user benefits from knowing which email inbox they should check.
That said, it could be that the security risk outweighs that convenience.
That is the security researcher perspective, but it’s a UX nightmare resulting in a lot of confusion for normal users, because they don’t get any info if they even have an account or are trying to use the correct email address.
I used to think info about whether an account exists should not be leaked in the password reset flow, and I designed sites this way, but then someone pointed out that in practice a hacker would then just move to the account sign up flow to check for the existence of an account. (If account exists, you cannot make another with that email on most sites.) I never had a good response for that. I now lean toward the idea that not providing info is just not worth the bad UX.
> If account exists, you cannot make another with that email on most sites.
Many sites require you to verify your email before you can use your account. If you wanted to avoid leaking whether an account existed, you could show them a message like "if this account doesn't already exist, a message has been sent to your email asking you to verify it". If the account did exist, you might send an email like "someone tried to create an account with your email".
Ah, sorry, I see now, but the underlying point is the same. You should not reveal any information. A "We have sent an email to the address associated with the account" would be sufficient.
The amount of disclosed information, and it's utility, is non-zero, but simply weighs less than the amount of damage from not hinting which account to check.
Accounts can grow to be 20 years old and even a "normal" person who is not actively using lots of addresses for security, will still end up having used several in the fullness of time and completely forgotten about some, yet, may still have or can regain access to them if only they knew to go look.
You don't see how that can happen or really be a problem? Oh well, consider yourself informed that it does happen and is a problem.
Not if you have multiple email accounts. Many times these codes reset in just a few minutes, you should try to avoid forcing users to spend time logging into every single email they can remember just to wait for an email to pop into one of them. You can show a few characters of an email or the first character of the domain to give a lot of info out in relative safety.
Everything is about tradeoffs, and the only objectively wrong answer is this dogmatic "never do $X" nonsense.