What’s the reason behind not notifying users that they entered a wrong email when they recover their password?
Sorry, I was not able to formulate the title shorter.
Today I stumbled across the password recovery from Dropbox. Here, users have to enter their email address and Dropbox says:
If a Dropbox account exists for does.this@email.exist, an e-mail will be sent with further instructions.
https://www.dropbox.com/forgot?email_from_login=does.this@email.exist
But what is the reason behind this? First, I thought they try to prevent attackers from randomly guessing email addresses and checking whether they are registered or not. Imagine you know that Donald.Trump@yahoo.com is registered to, e.g., craigslist. This might be a great privacy issue in some cases.
But then I remembered that your email is checked against all existing email addresses when a new account is registered.
So, what is the reason behind this behavior?