So what we've done by promoting "Invalid username or password" is made our login form UX much, much worse, without increasing the security of our product.
Much, much worse? Not at all. It doesn't matter if you've forgotten your user name, email address or password; if you've forgotten your credentials, you reset your password, not keep guessing until you give up. The password reset will also clue you in as to if you've got the right email address.
Much, much worse? Not at all. It doesn't matter if you've forgotten your user name, email address or password; if you've forgotten your credentials, you reset your password, not keep guessing until you give up. The password reset will also clue you in as to if you've got the right email address.