1 min readDec 21, 2017
This best practise that you called bullshit is still the best practise we have for this. An extra step for the attacker to take to obtain usernames and/or e-mails is far better than no steps.
I kinda expected a better solution for the problem rather than quite lengthy rant.