This is what happend when I submit the forgot password form multiple times. I could do this just by pressing and holding the return-key on keyboard… (ignore account locked message)
This also opens up the possibilities for timing attacks:
It shows very clear pattern in response time between account match and non account match.
All the responses below 200ms where non-existing email addresses. everything above was a match (my email)
(my cat walked over my keyboard and that led to the discovery )