This might have been asked before, but I've looked for a few hours and can't find much.
I would also like some opinions on what an attacker might do if he enters an email address on a site and it responds with "That user ID is not available".
My first thought is that it leaks people's email addresses, so if you know the email address, they may be registered with the site (if the email wasn't hijacked).
Another attack scenario might be to guess a login if there's no 2/MFA. People tend to reuse passwords or close variants. This assumes the attacker can link this 'user ID email taken' to the same person. Another scenario might be social engineering, and registering a very similar email address for impersonation to send phishing emails. Account recovery at a site may be possible if it's done poorly, perhaps by sending a code to a linked recovery address that's usable, or expired so you can register it and get the code to recover the account on the site with that email login.
What else do you think an attacker might be able to do when you check for an email as a user name and it says the ID is not available?
I thought of the old Yahoo people directory closed in 2012, where you could enter a name and last name (and more, if you knew more), and try to find their Yahoo address.
Thanks!
