It's more pervasive than just registration too if you allow the username to be adjusted. This is again a problem with email addresses that also allows leakage.
Regarding the probability of attack, people should monitor the number of different usernames attempted by a session/IP not just failed attempts against individual accounts. Otherwise it is very easy to try thousands of username combinations with a selected weak password.
Regarding the probability of attack, people should monitor the number of different usernames attempted by a session/IP not just failed attempts against individual accounts. Otherwise it is very easy to try thousands of username combinations with a selected weak password.