CSL Dualcom allow users to reset their password on http://passwordrecovery.csldual.com/ (yes, no HTTPS, again).
The password reset functionality allows an attacker to enumerate valid usernames. Genuine usernames have a different response to invalid usernames.
The forgotten username functionality also allows an attacker to check for valid email addresses.
Leaking valid usernames and email addresses like this is an incredibly bad idea. An attacker can send crafted emails directly users to reset their passwords on a server under his control, for example.
Adam
November 16, 2015 at 6:34pmWith Google you can enumerate their email addresses as well: http://imgur.com/cPgSMlT
But the difference between Google and CSL is that Google monitors IP addresses of the original user as well as the kind of computer that the original user uses and encourages 2-step verification.