If an attacker can probe your site to test whether a username exists,
it gives them a leg up in trying to hack your users’ accounts.
Allowing enumeration of usernames is not a vulnerability in itself, but in
tandem with other types of vulnerabilities – like the ability to
brute-force login – it will compromise the
security of your users.