Username enumeration is a vulnerability that occurs when an attacker can determine if usernames are valid or not. Most commonly, this issue occurs on login forms, where an error similar to “the username is invalid or in use” is returned.
Although username enumeration is not itself present as a high-risk issue, it does provide an attacker valuable information for further attacks.
Make sure to return a generic “No such username or password” message when a login failure occurs. Make sure your “forgotten password” page does not reveal usernames. Avoid having your site tell people that a supplied username is already taken.
An attacker can exploit this behavior by using lengthy lists of common usernames, known names, and dictionary words to observe the application response to all.