Not a bug GDPR violation: "Reset password" function leaks (registered) email addresses!

[JamesBrown]

If someone sends a letter to Bill Gates at my address. If I send it back to the post office. "NOT AT THIS ADDRESS" have I breached GPDR, because now people know he's not living in my spare room.

 

[AndrewSimm]

If someone sends a letter to Bill Gates at my address. If I send it back to the post office. "NOT AT THIS ADDRESS" have I breached GPDR, because now people know he's not living in my spare room.

I have some old phone books laying around.

 

[Mike]

We don't believe this is a GDPR violation. Regardless, as noted, it's essentially impossible to fix. Even if a change were made to the lost password system (which would trigger a significant drop in usability), the email checking during registration is a mandatory thing so it's still exposable there. Beyond that, also as mentioned, the email address in question has to be known already; knowing that may tell you whether the account is registered, though it doesn't tell you any further info (such as the account it's tied to, the status of the account and whether it was verified, etc).

So essentially, we don't believe there's anything to change here.