I’m working on the forgot password feature for my app.
My understanding of best practice is to not tell the person making the forgot password request whether or not a particular email address is associated with an account on a site.
For example, a website might say, “We’ve attempted to send a reset link to [email provided]. Please check your email.”
However, it seems that bubble.is does give away whether an account with that email exists:
Does anyone have any experience with this issue? Am I being overly security conscious?