It seems pretty typical to limit user accounts to unique email addresses. So on my user registration form, I am doing email validation and returning a message like

An account has already been registered for [email protected]

Then it occurred to me that an attacker could use this form to determine information about my users. Is there an alternative way to provide validation messages to my users without compromising security? It doesn't seem to me there is any way around it.

For most kinds of sites, I would expect that explicitly hiding this information would be a poor user experience trade-off. The better solution is to use CAPTCHA to help prevent war-dialing of email addresses.

The exception would be in cases where an attacker is seeking out information about a specific user (rather than just trying to find "some account"). As an example, if your site caters to people who have a strong interest in anonymity, and there are attackers who have a strong interest in finding out if a specific user is using the site, then the approach should be different. My approach would likely be to send an email to the address indicating the "already registered" error. The user experience annoyance would be outweighed by the user's anonymity interest.

Rob Napier's answer is correct. You should decide whether your users actually need that anonymity at the cost of degraded UX (in most cases they wouldn't care).

Here's how some big names do it:

• AWS: Error: Account with this email already exists.
• Apple ID: This email address is not available. Choose a different address.
• Cloudflare: A user with that email already exists (Code: 1079)
• Linkedin: Someone's already using that email.
• Stack Overflow: Forgot your account’s password or having trouble logging into your Team? Enter your email address and we’ll send you a recovery link.

Simply tell them they cannot use the email address they have supplied ? You don't need to give any more reason than that? If they know it's not their email they might still guess it's an existing address but you haven't confirmed that.

Or

How about telling them you've sent an email to that address and they need to confirm - even if you haven't.

I can think of one way: you could ask for an email address and then send the link for a one-time registration form to that email address. You might need a captcha in there to stop spam. If the email is already in the system it could send a message saying that they already have an account.

I think this is unnecessary tho, unless your website is especially secret, like a support group for abuse victims.

I don't think it is really possible to create an error message without indicating that the email address is already in use, as that is the point of the email address.

These are the options I see:

1) Display a not so clear error message like "Email address is invalid"
2) Accept the registration and inform the user about his earlier account via email (I would suggest that)

In any case you can improve security thru captcha codes and throttling requests by the same client. If you care that much about the privacy of your users, forcing a unique email registration is maybe not suitable for your site.

You can receive this error message if you have already an existing email alias with this email or user [email protected].

You can check that if the email alias exists then you will have to first remove it and then try to create it.