I'm posting this because fans used the Twitter's password recovery process which reveals only part of the account owner's email to determine that several Twitter accounts are owned by a single entity. Can this be considered security or privacy flaw? Lot of my apps doe not expose any part of the email during the recovery process and I've thought about doing so, but now I'm reconsidering it due to this use case.

(Can someone come up with a better title?)