User enumeration through forgot password functionality

[akudiurov]

Problem:
An attempt to recover password for non-existent account returns a different answer

Possible impact:
Such behavior allows user enumeration which makes brute-force attacks easier and since username is email, implies lead scrapping and social engineering attacks.

Solution:
Responses from authentication or recovery mechanism must give no information about user existence. Return the same exact message (including headers, HTTP status, etc.) if a user does or does not exist.