If a user requests a password reset, they’re currently given this message:
WE'VE JUST SENT YOU AN EMAIL TO RESET YOUR PASSWORD.
I understand the security reason to be vague here. You can’t confirm or deny if this email has an account. However, this can be extremely frustrating if a user isn’t sent an email yet the system tells the user an email WAS sent.
I suggest this message be changed to something like below, which neither confirms or denies the account, but also doesn’t tell the user an email was sent if it wasn’t.
If your email was found in our account database, you will receive an email shortly!