[vampirical]

> But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists [...]

Alright so this security hole already existed in their system elsewhere. After raising the issue that this type of message leaks data, which is a completely valid concern, they dropped it because they were already leaking that data elsewhere? It isn't like email based account reset/reminder forms have to leak the existence of an email within the system, a fact they just gloss right over.

For a system that stores quite a lot of very sensitive data it is surprising to see them knowingly keep such a hole open. I understand the desire to smooth out the user experience but this honestly seems more driven by the desire to not field customer support requests for what feels like a "stupid issue".

I'm not currently a MailChimp customer but I used to be and before reading this I would have chosen to use them again if the need was there. Please don't compromise the security of customers for convenience.

[papsosouid]

In what way does people being able to find out you have a mailchimp account cause a problem for you? Are you concerned someone is going to threaten to go public with this shocking information if you don't pay them off?