This best practise that you called bullshit is still the best practise we have for this. An extra step for the attacker to take to obtain usernames and/or e-mails is far better than no steps.

I kinda expected a better solution for the problem rather than quite lengthy rant.