[awesome_dude]

> First, I disagree that "user emails can be brute-forced" is a serious security issue. > I mean, sure, it's a security issue, but on a scale of 1-10, with 1 being "security issue, we'll fix in next point release" and 10 being "All-hands until this emergency patch goes out, and we keep the system offline while fixing it", this is definitely a 1.

Jesus no.

Aside from this now being an argument on semantics, someone enumerating every customer/user account you have is serious.

It opens the door for privacy leaks, targeted attacks (like password attempts, phishing, or account lockouts)

If you don't want to take that seriously, thank you for your honesty, I will ensure that I never have an account on any service you work on.

[lelanthran]

> If you don't want to take that seriously, thank you for your honesty, I will ensure that I never have an account on any service you work on.

That's fine; you already have multiple accounts on various providers that can be trivially massaged by a client into providing proof of life of an email address.

Microsoft, OpenAI, Anthropic, Oracle, Amazon; I tried them all now, and they let you enumerate emails trivially by clicking "signup" and then informing you if you choose an email that is already registered.

> Jesus no.

You haven't really has thought this through as thoroughly as you think you have - email enumeration is still, at the tail end of 2025, possible across all major sites, providers, etc.