I have tried to recover the password for some emails:
email@example.com (exists) firstname.lastname@example.org (does not exists)
After I clicked the "reset my password"'s button, the website informed that the email did not exist.
This is a bad practice, and it is an invitation to brute force emails that possibly exist in the domain @nextcloud.com.
By using a wordlist of common passwords, it is possible to guess a combination of email/password of an administrator account.