The password reset form shows the email address. This can be used to harvest email addresses.
A better solution would be to just show the domain name. Eg: user joesmith is registered with firstname.lastname@example.org.
The reset page should say "mail has been sent to your email ending with @example.com" or some such..
Google Code Info:
Issue #: 105
Created On: 2010-06-21T15:47:04.000Z
I'd like to see this change as well.