When you create an account and the username already exists, the website tells you that. How is this difficult for someone to do this instead of guessing the username on the login page? It's the same.
It's more pervasive than just registration too if you allow the username to be adjusted. This is again a problem with email addresses that also allows leakage.
Regarding the probability of attack, people should monitor the number of different usernames attempted by a session/IP not just failed attempts against individual accounts. Otherwise it is very easy to try thousands of username combinations with a selected weak password.
Regarding the probability of attack, people should monitor the number of different usernames attempted by a session/IP not just failed attempts against individual accounts. Otherwise it is very easy to try thousands of username combinations with a selected weak password.