[hathchip]

The GP is talking about a situation where you are not asked for an email address. You ask for a password reset for the username @coolanonguy. The website tells you that the reset email was sent to an obscured email address. The obscured email allows you to confirm (with high likelihood) or deny (with certainty) that @coolanonguy is your friend whose email address you know.

[em-bee]

on the systems where i had to do this for my account i usually get a message like: "an email has been sent to the address registered with this account"

there is no benefit to reveal any details.

[kevincox]

The benefit is that people often don't remember which email they used for a service. They check their "main" email inbox but don't remember that they used their student email address 8 years ago when they signed up. By providing a hint they know which inbox to check and don't get frustrated because the email isn't coming.

So it is a privacy tradeoff for better UX. If it is a good tradeoff will depend on how much you value each.

[Zambyte]

Why not just login to all of your email accounts in your email client?

[justcool393]

probably because fewer and fewer people are using a (non-web based) email client.

[ldjb]

I have many email addresses. I don't necessarily know which email address is associated with my account. Therefore, the user benefits from knowing which email inbox they should check.

That said, it could be that the security risk outweighs that convenience.

[registeredcorn]

Isn't a step in password reset a prompt asking you to enter the email address the account is tied to?

[pc86]

Sometimes, not always.