Disclosure of usernames has long been considered a security vulnerability of equal importance as a password. Security experts recommend avoiding the use of admin and root as usernames, and we can even see that practice taken to heart with leaks like Gawker. Administrators and users especially consider the password the only part that of the login process that is sensitive.
Hackers on the other hand know that the username is often the most difficult part of the equation to locate. As most sites now allow for you to use either a username or password to login to a site, it is a major coup when that information can be readily handed to you. Why is this information available? Well, for convenience of the user of course! User can’t remember their own email addresses anymore, blatantly violating TOS when they register multiple accounts with service providers.
While working with some social graphing code that was becoming TMTO intensive, I decided to thin the herd with some pre-processing. Why do I need to try to locate the profile that belongs to the email address, when I am not even sure the email address even has an account on the system.
Sites with similar issues: