PSA that your 'forgot password' flow leaking whether an email exists is a real privacy bug, not a nitpick. Same response and timing for valid and invalid accounts. Stalkers and credential-stuffers love an oracle. #web #design

Jun 23, 2026, 8:20 PM