It is a common recommendation to return "Username or password is incorrect" instead of "Username does not exist" when the given username does not exist and "Password is incorrect" when username exists but password is wrong.
The generally cited reason is that you don't want to provide an attacker with the knowledge that a username exists, to prevent online brute force attacks.
However, if username is used to login, it has to be unique, and therefore you will need to inform the user that a chosen username is taken while they are creating an account. So an attacker can easily determine if a username exists even if you only say "Username or password is incorrect" when logging in.
But even if no signup page exists, or other measures are taken to obscure the existence of usernames on registration, this recommendation still doesn't make sense. Usernames are not designed to be secret. Most people reuse usernames, and they are easy to find. And keeping them secret only improves security so far as it increases the total size of your secret, which can be achieved with longer required passwords.
And moreover, there are better ways to prevent online brute force attacks than longer secrets. Rate limiting users on login, which a properly slow password hashing algorithm like bcrypt already implicitly does, or providing a timeout after many incorrect attempts, solves this problem far better than a longer secret does.
Is there something else I'm missing? Even on this site I see people defending this practice, but I have yet to see a reason that isn't better solved with other methods.
Edit: As a follow-up, if this recommendation really isn't useful, why is it still common? And where did it come from?