Account Enumeration
A technique that determines whether an account exists at a service by observing differences in the system's response to valid versus invalid usernames, used to build target lists for attacks.
Also known as: username enumeration, email enumeration
Last reviewed: 10 June 2026
Account enumeration exploits subtle differences in a system's response to an authentication attempt depending on whether the username is known. A system that returns 'Incorrect password' for a known email but 'Account not found' for an unknown one reveals whether any given email address has a registered account. This information allows attackers to confirm which of their target email addresses are registered with a service before investing effort in password attacks.
Enumeration also enables personalised phishing: knowing that a specific person uses a particular financial service makes a spoofed email from that service far more convincing. Registration forms that confirm 'This email is already registered' enable similar enumeration through sign-up flows.
Well-designed systems return identical error messages for wrong username and wrong password ('Invalid email or password') and implement consistent timing for all responses to prevent timing-based enumeration. Consumers benefit from services that implement these controls because they receive fewer targeted phishing messages and their account existence is less easily verified by attackers.