[jdubs]

LastPass is awesome but I hate their website login process! It bothers me to no extreme that if I type in my email address with a wrong username, it pops back with, "Invalid password" while typing in a obviously random email, it pops back with a "Unknown email address. Would you like to create an account now?."

I worry that a malicious attacker could finger the service for potential victims.

[innocenat]

It is already normally possible to test whether email address is registered by trying to register with that email address. Unless that process is secured too, it doesn't really make much sense to not pop up Unknown email address error.

[pwman]

Correct -- It's a pet peeve of mine when login processes obscure this saying invalid password when the sign up process doesn't -- if you're going to tell people usernames aren't available then you shouldn't be avoiding it on the login screen.

[ejcx]

Username enumeration is a valid concern. Requests on the login form (and some other places) are throtted. If you get too many emails wrong you will start only getting errors.