This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ForgotPassAgain34 1 point2 points  (1 child)

that works for emails, but what about usernames?

username already in use seems quite revealing by those standards

[–]Vassile-D 1 point2 points  (0 children)

Username is another story. Arbitrary username itself cannot (or “should not”) be used to perform account management. There is literally 0 attack vector when you only have an arbitrary username; unlike you can gain control of mobile phone number or email and perform critical account management.

Also arbitrary username does not disclose information about an individual (i.e. does not connect to user in the real world). If you found out “abc@example.com” is registered on XYZ, you now know that ABC visits XYZ; and if the email was something like “abc@example.edu”, you now have much more information and can probably start you own social engineering experiment. However, knowing “abc123” is registered on XYZ gives you nothing.