When requesting a password reset, the confirmation page shows my email address. This is a great way to allow a site crawler to gather everyone's email address.
There are diverse opinions of what to do, but what I'm used to seeing these days is a message of the sort "Your password has been emailed to your registered email address. If your email address is no longer valid, please (mailto link)contact the site administrator(/mailto link)."
were involved in the discussion regarding this issue on IRC as of 2005.01.22 1100 EST.
Thanks for reporting this. Also removed password from URL in sent e-mail to not have it show up in access logs, browser history etc.