I've just started working for a small company that has a Wordpress website with user accounts. Each user account has a login name, display name, actual name, email, password and the rest.
I dug down and found a page which had a list of all registered users (showing just display names, but no personal information), as well as a total number of registered users.
This raises a big stinking red flag with me, firstly because the company doesn't need it, but it also feels wrong to expose this large amount of data. Yet I can't see anyway for it to be manipulated.
Can anyone tell me if this data can be used to carry out an attack on the website or a specific user?
Thanks