This is a golden oldie which surprised me very much to see (back) on the login screen:
Error: The username BLABLA is not registered on this site. If you are unsure of your username, try your email address instead.
Trying some emails as username, you see this:
Error: The password you entered for the email address email@example.com is incorrect.
This tells hackers if a username is in use, thus solves 50% of the breaking in problem.
I strongly suggest to change this into something like:
With the given combination of credentails we were not able to log you in.
Hope it helps!
- The topic ‘Login page serious information disclosure’ is closed to new replies.