CSL Dualcom allow users to reset their password on http://passwordrecovery.csldual.com/ (yes, no HTTPS, again).
The password reset functionality allows an attacker to enumerate valid usernames. Genuine usernames have a different response to invalid usernames.
The forgotten username functionality also allows an attacker to check for valid email addresses.
Leaking valid usernames and email addresses like this is an incredibly bad idea. An attacker can send crafted emails directly users to reset their passwords on a server under his control, for example.