| It's about not leaking sensitive information. If you have different messages for invalid username vs invalid password, you can exploit that to determine if a user has an account at a particular service. "Invalid credentials" for either case solves this problem. But sure, let's report infra failures different as "unexpected error" Now, what happens if the unexpected error is only when checking passwords, but not usernames? Do you report "invalid credentials" when given an invalid username, but "unexpected error" when given a valid name but invalid password? If so, you're leaking information again and I can determine valid usernames. So, safe approach is to report "invalid credentials" for either invalid data or partial unexpected errors. Only time you could safely report "unexpected error" is if both username check and password check are failing, which is so rare that it's almost not worth handling. Esp. at the risk of doing wrong and leaking info again. |
In this case, Facebook does not treat hiding username usage as a requirement. Their password reset mechanism not only exposes username / phonenumber usage, but ties it to a name and picture. So yes, Facebook returning an error that says credentials are incorrect when it has infrastructure problems is absolutely a defect.