It is a security problem to allow that two different user accounts have the same email address?
If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email with list of the usernames of all associated accounts?
If the answer is “it is a problem”, what did I tell a user that is trying to use an email that is already used? Saying “the email is in use” is not a security issue?
Can you point me some readings about this?
If multiple accounts have the same associated e-mail address, then an attacker who compromises the e-mail account can immediately take over all those accounts. This is usually not desired. As you already point out, there can also be a lot of confusion when the user tries to reset their password.
E-mail addresses are typically unique. This isn't a strict rule, though. If duplicate addresses make sense in your specific use case, and if you're aware of the issues, then this might be acceptable.
Pointing out than an e-mail address is in use directly on the website can be a privacy issue. A better approach is to tell the user that they should check their e-mail account for further instructions. If the e-mail address hasn't been used yet, then link the user to the actual registration procedure in the e-mail. If the e-mail address is already in use, then explain this in the e-mail (and tell the user to reset their password if they no longer remember it).
