In Change your password page, user enumeration is happening and it must change.
Simply replace the message Error: Invalid username or e-mail address. Into something like an email has been sent to the address on record.
I don't think we consider this a security issue. We even provide API methods for users with view access to check if a specific userLogin or userEmail exists.
users with view access have indeed the ability to check whether an account exists,
but wondering about anonymous user (thanks for reporting this issue @fadi-assaad), is it currently the only place where one can check whether a given username/email account exists?
I suppose there are couple more places... I wouldn't be surprised if
UsersManager.getTokenAuth exposes it, and lots of other places.