Hi WordPress team,
Found a disclosure during authentication to a blog for version 2.1.2.
When a person logs in with the wrong username into /wp-admin, the error message states "ERROR: Incorrect username".
The problem is that WordPress is disclosing that that username doesn't exist, therefore providing more information to someone who wants to bruteforce username/password combinations. Once they've guessed a correct username (other than the default admin), they only have 1 field to bruteforce reducing the time needed.
Not too big a deal, but the solution should say "ERROR: Incorrect username/password" to not disclose which one was incorrect.