We are forth and back discussing how to deal with privacy issues during failed authentication, password reset and account creation on a web application.
Let's say I am in the process of creating an account on an application and I am using an email that is already in use. If sending user feedback directly to the end-user saying "this email is already registered" the application might expose privacy sensitive information for the account using that particular email. I could for example check whether a certain person has an account on the application simply by using his/her email address during this process.
This for sure is a problem when it concerns applications dealing with sensitive content (like for example websites similar as second love or tinder).
Similar issues occur when resetting passwords or trying to log in with the wrong password. Useful user feedback seems like a must, but could be used by others to violate privacy of the already registered users.
For registering an account the problem could easily be solved by sending feedback in the line of "further instructions are sent to your email". This does not necessarily mean the account already exists. In the email could then be written that "the email has already been linked to another account" including instructions how to proceed or when the email is not yet in use we simply send a link to activate the new account that allows the user to finalize the account registration process.
Similar could be done for password reset: "further instructions are sent to the email address". This doesn't expose anything.
But for failed login attempts such solution is not particularly user friendly: "this email password combination is not recognized".
The user might wonder, did I use the wrong email address or wrong password!?
Lot's of websites simply send feedback in the line of: "we cannot find an account with that email address" or "wrong password provided".
With privacy rules/laws getting stricter every day after many scandals I wonder whether the above response is acceptable for any web application, but it seems like even the big ones (Google, Amazon, Facebook, etc) don't seem to mind and simply show that the email used is recognized.
Am I exaggerating the care for the privacy of the applications registered users? Is there some best practice or useful read on this particular topic?
EDIT: Older questions on stack-exchange and other blog posts are mostly discussing the topic of exposing user information from a security point of view. But the General Data Protection Regulation (GDPR) is kicking in soon and I am particularly interested in the privacy issue related with revealing account specific information.