Being on the company security email list, I get emails with some regularity complaining about email discovery on various forms on my employers website. The reporters are complaining about things like our login form returning a specific message like "You password is incorrect." rather than "The email/password provided are incorrect." This lets possible attackers know that a certain email address is in use for an account.
I understand the issue here, and it's easy to change the messaging for a login or account recovery form. However, what can I do about a signup form. We only want one account for any given email address. I've looked at some other popular online services and their signup forms specifically tell you that the email address is in use.
Is there just no way around this? If that's the case, should I really pay any heed to the people complaining about email discovery on the login form?