The application reveals whether specific user accounts exist through different responses to login, registration, or password reset functionality.
An attacker could compile a list of valid usernames for targeted brute force, credential stuffing, or phishing attacks by observing differences in application responses.
Return identical responses for valid and invalid usernames in login, registration, and password reset flows. Use generic error messages. Implement consistent response timing to prevent timing-based enumeration.