When recovering a password, the script returns an error if the email-adress is not stored in the database.
With this behavior, someone can figure out if there are certain users registered.
According to the new data protection regulation in the European Union, this is a violation of personal rights.
In such a case, there should be shown a neutral message that contains something like: "If your email is in our system, you will recive in short recovery instructions."