Hey @davidshute, I completely agree with you about best practices and improved security, but I still see lots of web applications presenting a nice error if the email address is not found. Nicest example is at pingdom.com.
So stepping away from security aspects, if it’s a business requirement you still need to test for it. And some sites send you in clear text your original password which is even worse, but these sites still exist and are hard to ignore them.