Whether the username is sensitive depends a lot on context. If the service is a dating site, gambling, porn, etc. just disclosing someone is a user of the site breaches their privacy.

What this really highlights is a lack of consistency. If adding a security measure involves some kind of trade-off (UX in this case), you should really understand what you are trying to prevent and consider the rest of the attack surface. I think it would be a fallacy to immediately give up just because a larger vulnerability exists though.

I was curious to see whether there is a way round this and a quick search threw up https://security.stackexchange.com/questions/40694/disclose-... - the top answer is quite informative.

There are privacy issues though. Take a known email address, run it through 100 sites, and find to find out what kind of sites the person uses.

The point of the article is that you already can do this very easily - just try to sign up to each site.

That's sometimes true, but not always. Two examples: a signup may have a captcha, so the cost of filling out the form to check for an email address is high, or something like a bank sign up, which requires additional info besides the email address (account number, SSN).

Gmail allows you to use email+whatever. A lot of sites actually support this and this means it becomes significantly harder to determine what sites you use as each email+whatever is considered unique.

Which is an easily fixed flaw, when it comes to emails.

Usernames, yeah, you're not going to keep those private. But sometimes account names are not the same as display names, and display names can be duplicates, while account names should be reasonably protected.