The use case I'm asking for input on is this: The user has forgotten
their password and types in an email address that is not in our
system. Currently we tell them that we don't have that email address
in our system and to try another or register. However, we have been
mandated to address the security issues around this approach.
Apparently, by telling the user we don't have that email address in
their system allows a hacker/attacher to keep trying other email
addresses until they get a match.