On Feb 23, 2015 12:06 PM, "Lars Aronsson" lars@aronsson.se wrote:
It would be possible to just say "sorry, login by e-mail is not possible for you; please login by username".
No, that isn't possible. We can't reveal existence or non-existence of an account with an address. If there's more than one with a given address and we throw that error message then we've revealed something we can't.
Multiple accounts match response should be identical to wrong password response and identical to no such email/username response.
-Jeremy