User enumeration identifies valid usernames through different application responses — different error messages, timing, or HTTP status codes for valid vs. invalid usernames reveal existing accounts.
Prevention: return identical responses for valid/invalid usernames, use timing-safe operations, rate limit login attempts. User enumeration enables targeted password attacks and phishing campaigns with valid email addresses.