[h1-2102] Information disclosure - ShopifyPlus add user displays existing Shopify ID fullname

I am not sure if this by design but it came to my attention that the **Add users** functionality located at `https://shopify.plus/[id]/users/invite` allow a Shopify Plus user with the **User management** access to retrieve any existing Shopify ID full name. ## Steps to reproduce 1. Log in into **ShopifyPlus** 1. Go to **Users > Add users** 1. Within the email field, enter an email address of any existing Shopify Account ID (i.e: [email protected]) 1. Select any role and click **Send invite** As a result, if the entered email does have a Shopify ID, its fullname will be displayed within the user page. ## Screenshot of a pending invite ██████████ **Note:** I've a feeling that this is expected but still reporting it as the standard invite flow (non ShopifyPlus) doesn't display that kind of informations unless the user accepts the invite. ## Impact A **ShopifyPlus** user with **User management** can retrieve the firstname and lastname of any existing ShopifyID account (by email lookup).