Even though they show the starred email address and one of the suggestions is not to show the email, I really hope people don't do that.
There is nothing more frustrating when you're recovering your password and the site says we have sent you an email with no hint where and even worse sometimes they say "if that email was in our records then you should get the link" and you're wondering did that work and #1 worst is after making me solve 10 traffic lights and zebra crossings.
Because at that moment I feel it's just easier to start over and create a new account.
I don’t think you having to either A) remember what email you used or B) creating a new account is a big ask when the alternative is leaking your account presence on a given system. Not everyone wants other people to be able to essentially query a given app for an email account.
Monitor having issues. Google solution. Land on a forum, but to see the full post / solution it requires email registration. I register with a junk yahoo type email address. Complete the long form, solve all the traffic lights, etc. Then get the solution, make a few posts and probably forget about it.
Monitor having problem again after 2 years same forum but it says my very unique username is taken. Now, I vaguely remember creating an account but don't remember what email I used. I try to reset my password but dang, each time it says "If that email was in our db you'll get it". If I get a hint I used yahoo maybe I can resume and hopefully use my old account and some post count than starting a 1 day old account with 0 post.
So your idea is to always gives malicious actors additional information for account take overs so you can use an account with a non zero post count (not just non-zero, but only 1 or 2 as you insinuated)? Do you not see how naive that is?
I understand you feel that way, just want to explain why sites do that. If they give you a clear answer yes or no if it worked, others could check which emails are registered on the website. So in order to leak the information on who has an account or not, they are ambiguous with their answers if the recovery was triggered or not.
It's, as always, about a balance between faster user experience and more extensive security features.
There is nothing more frustrating when you're recovering your password and the site says we have sent you an email with no hint where and even worse sometimes they say "if that email was in our records then you should get the link" and you're wondering did that work and #1 worst is after making me solve 10 traffic lights and zebra crossings.
Because at that moment I feel it's just easier to start over and create a new account.