Forgotten password reminder is not helpful to user who enters one of their email addresses LP doesn't know

I suggest the text say something like "If foo@bar is a valid LP user, we've sent an email, but if it isn't, we haven't." It's not clear from that page that "don't send an email" is a perfectly valid response to the request.

Or you could send a mail saying "hi, you asked for your password, but
you don't have an account at this address...."

The obvious solution is to send out an email inviting the user to create an account if it is an unrecognised account email, however the decision was made to send no email in these instances to protect peoples accounts and personal information. I will bring it up with the developers for further discussion at this point though.

Assuming the $evildoer has no means to snoop the email which Launchpad sent out (a fair and necessary assumption IMO), sending an email detailing how to create an account should not constitute a security leak. If $user can receive email on the address provided, they have proved their link to that address by being able to receive the email.

Offering the user to create an account on the web form would be a clear information leak though.

Agreed, we should send a mail to the user inviting them to create an account.

Maybe I am blind, but I fail to see how acknowledging that any particular email address has an associated account at Launchpad could lead to a security breech. Methinks somebody's paranoia has gotten the better of them.

Confirming the existence of an account registered with a specific email address is the first step in a targeted phishing campaign. If a phisher can then cross-reference that address with data they've obtained from other sources, they can craft very convincing emails and web pages which regular users find very difficult to identify. I've seen these kind of targeted attacks in action and I've worked with a security consultancy to review similar projects in the past; this is not paranoia.

Yes it is.

We talked about this on IRC and the consensus was to send a message to whatever address the user entered, either with a password reset code (if they have an account) or a clear message stating the address has no account but that they're welcome to make one.

Also, this came up repeatedly at the Support CoP meeting at UDS. It affects every login-based service and thus every support team and everyone wants it fixed ASAP. Can we do this soon?

toykeeper mentioned that if we began the registration process and sent the token/link to the user to confirm, some users would be more likely to create additional accounts that they don't want. If the user is hitting the situation in this bug, they are probably already confused about their accounts, so it sounds like sending only an invitation to register is a better approach.

Some serious grammar issues in the email, should be fixed before release.