In the forgot_password screen, the user is given the ability to restore her password by inputting her username or email address.
However, the system doesn't alert if a wrong username/email was inserted, and therefore a user could wait forever for the reset password email, not knowing that they will never get it because they supplied the wrong username/email.
This is the message that Moodle gives:
Could the system alert in case the wrong username/email was supplied? I doubt that it would a raise security issue, since other large systems - such as WordPress, Basecamp - do alert in such cases (see screenshot of WordPress message, and screenshot of Basecamp message)