I've noticed something on the Stack Overflow login page: detecting if an email address has been used by a user for registration is actually possible.
In short, when you want to log in with an email that is not registered, you are provided with an error message that states that there is no account with the email you provided.
If you provide an email that a user used to register on Stack Overflow but provide a wrong password, the error message states that the password you used doesn't match the one used for registration.
(I have intentionally hidden my personal email address from the screenshot)
I have been told on many occasions (in both job contracts and school lessons) that when a combination of login/password is wrong, the error message should not specify whether it's the email or the password that is wrong. It should rather tell the user that either one of them is incorrect without specifying which one exactly, so as not to indicate if a specific login exists or not.
So why doesn't the Stack Overflow login form follow this (what I consider a) basic security rule?