Xenforo sign-up system - Privacy / Security Concern?

[melbo]

Was reading this discussion https://news.ycombinator.com/item?id=8683003

Is it wise to confirm the validity of an account / email address like below?

Seems like it should fail silently, skip this warning and go directly to the 'Check your email' screen: sending the confirmation email to the new member's email address or an alert to the address already in use.

 

[Mike]

Realistically, there isn't anyway to prevent this. While you propose failing silently, the act of failing would itself lead evidence that could be used to determine the result. If you do this here and you go back to hiding the result on failed logins or lost password requests, you're really making the experience demonstrably worse for the average case. There is always a convenience/security trade off.

 

[melbo]

Yeah. I suppose that if I attempted to register an email and I didn't receive a confirmation email I could assume that an account was registered to that email. No way around it then.

Email confirmation by itself is already a hurdle that an average user must overcome to finalize the account.

 

[Newt]

By the way, what happens when somebody using a banned domain (set in ACP or via some antispam API) as their social media account email and uses that account to register to the site?