diff --git a/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java b/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java
index 3e36d667..768fb8bd 100644
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java
@@ -1081,11 +1081,16 @@ public class UserResource extends BaseResource {
         // Validate input data
         ValidationUtil.validateStringNotBlank("username", username);
 
+        // Prepare response
+        Response response = Response.ok().entity(Json.createObjectBuilder()
+                .add("status", "ok")
+                .build()).build();
+
         // Check for user existence
         UserDao userDao = new UserDao();
         List<UserDto> userDtoList = userDao.findByCriteria(new UserCriteria().setUserName(username), null);
         if (userDtoList.isEmpty()) {
-            throw new ClientException("UserNotFound", "User not found: " + username);
+            return response;
         }
         UserDto user = userDtoList.get(0);
 
@@ -1102,9 +1107,7 @@ public class UserResource extends BaseResource {
         AppContext.getInstance().getMailEventBus().post(passwordLostEvent);
 
         // Always return OK
-        JsonObjectBuilder response = Json.createObjectBuilder()
-                .add("status", "ok");
-        return Response.ok().entity(response.build()).build();
+        return response;
     }
 
     /**
diff --git a/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java b/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java
index 2aeab9fa..14986a7e 100644
--- a/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java
+++ b/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java
@@ -439,13 +439,11 @@ public class TestUserResource extends BaseJerseyTest {
         // Create absent_minded who lost his password
         clientUtil.createUser("absent_minded");
 
-        // User no_such_user try to recovery its password: invalid user
-        Response response = target().path("/user/password_lost").request()
+        // User no_such_user try to recovery its password: silently do nothing to avoid leaking users
+        JsonObject json = target().path("/user/password_lost").request()
                 .post(Entity.form(new Form()
-                        .param("username", "no_such_user")));
-        Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus()));
-        JsonObject json = response.readEntity(JsonObject.class);
-        Assert.assertEquals("UserNotFound", json.getString("type"));
+                        .param("username", "no_such_user")), JsonObject.class);
+        Assert.assertEquals("ok", json.getString("status"));
 
         // User absent_minded try to recovery its password: OK
         json = target().path("/user/password_lost").request()
@@ -461,7 +459,7 @@ public class TestUserResource extends BaseJerseyTest {
         String key = keyMatcher.group(1).replaceAll("=", "");
 
         // User absent_minded resets its password: invalid key
-        response = target().path("/user/password_reset").request()
+        Response response = target().path("/user/password_reset").request()
                 .post(Entity.form(new Form()
                         .param("key", "no_such_key")
                         .param("password", "87654321")));