This attack is often the result of one or more of the following:

User names (IDs, account names) may be guessable, published elsewhere, or are simply email addresses Authentication and related mechanisms may indicate whether a username is valid or not (registration, password reset/recovery, username recovery, change password, change email address) Missing authentication failure detection Missing monitoring to identify attacks against multiple user accounts, utilizing the same password Additionally another web or non-web application (e.g. mobile app, telephone service) that utilises the same credentials has one or more of the above problems.

NB: This card relates to user names. See AT 7 for the similar password cracking (brute forcing, dictionary attacks, guessing, credential stuffing, credential cracking).