Currently the forgot password logic output whether an email adres exists, allowing for checking against the database if a certain email adres is accounted for.
Although minor, it is a data leak and should be fixed to not inform the outside world (any not logged in user/bot) about the existance or non-existance of an email adres in the database.
Thanks for reporting this. The bug is confirmed, and we’ll fix it as soon as possible.
As for a temporary fix, there are two options:
Change the text in Loco Translate as suggested by Chris. This will work because 404 may still appear if the username does not exist, and then it is less clear whether it is a username or email error, making it impossible to verify the email.
Alternatively, try setting up reCAPTCHA for this form, and then bots will not be able to register.