I may be misunderstanding the situation, but it appears to me that when customers submit a request for a forgot password email it gives them a success message regardless of if the provided email exists in the system as either a login or eaddress. I looked through the documentation and there is no mention of "error messaging", just the message for when the submission goes through. It doesn't happen often but every once in awhile we get customers who complain they they're not getting their password reset emails, but its simply because the eaddress isn't associated to a login, but TNEW does not give them any indication of this issue. We primarily do not create logins when adding eaddresses to new records for regular phone/window sales. We did do that once, but it just caused more issues since people weren't aware of that fact and got frustrated when it would not let them register a new account, so we figured its easier to just merge accounts later.
Does anyone experience this issue often? I was thinking perhaps we could update the success message to explain this, but I can't think of a way to word it that wouldn't be too confusing to the customer?
Functioning as intended. If the form gives positive or negative confirmation on whether an email address in the system, then it can be used to discover accounts by a bot. I think there is actually a PCI rule about it. It is a nuisance for customers.
We did spend a while massaging our messaging. I'd check around on other people's sites to see what they've come up with.
[double checks]
Looks like that messaging was lost at some point and we just have the default. So yeah, check other sites.
Aha, I had a feeling there was a good reason behind it. Thankfully it doesn't happen often. I do see there is a phrase "if your account is located" Perhaps we just need to add a message about who to contact if the email does not come through.