Dec 19, 22 3:22 pm

Was this post helpful?

3 Ways Attackers Leverage User Enumeration

Dec 19, 2022
| by:
Shimon Brathwaite

What is User Enumeration

User enumeration is an essential part of the penetration testing process, where the hacker develops a list of all valid usernames on a server or web application. By doing so, the hacker can get an idea of how many accounts exist and use this information to compromise accounts on the target. This is possible for several reasons. For example, some servers are configured to provide this information if the hacker runs a specific command in the command line. In another example, some web applications may be configured to tell the user if the username provided is correct, even if the password doesn’t match. This information unwittingly tells hackers if they have guessed a valid username. In this article we’ll be discussing how user enumeration works, why it’s valuable to a hacker and how it can be prevented.

Different ways applications allow User Enumeration

As mentioned above, there are several ways that applications allow for user enumeration. The most common way this can be done is for the hacker to use the feedback given by the application itself. For example, if a hacker enters a username, he may receive a message like this:


In the screenshot above, the application tells us that the username doesn’t exist. This is valuable information to a hacker because it confirms that we can brute force usernames, and the application will inform us when we have a valid username.


In this example, we used a legitimate password and got a response saying only the password was incorrect. By trying commonly used usernames, a hacker can use this feedback to compile a list of valid usernames.

The feedback doesn’t need to be in the form of a text reply. It can be more complicated. One example is using the response time it takes to receive a failed login as an indicator. An article by rapid7 showed how, when using an invalid username, it took an application over 30 seconds to respond (because it needed to check all accounts). However, when using a correct username and incorrect password, the failed response took less than half a second. This is another method hacks can use to identify valid usernames. 

Source @ rapid7

The last method we’ll discuss here is using password reset forms. If not correctly configured, hackers can go to an application, select the option for a password reset and continuously enter email addresses into that form until a link for a password reset is sent. This will allow hackers to identify legitimate email addresses linked to the account and act as another method for user enumeration. 

What can a hacker do with user enumeration?

The ultimate goal of user enumeration is to gather a list of legitimate and active user accounts. Once the hacker has this list, they can use it to perform several different types of attacks against an organization or an individual. These are commonly known as password based attacks, which are attacks where the hacker attempts to acquire the legitimate password to a user account. The most common one is known as a brute force attack, which is where a hacker continuously tries random password combinations to find the correct password. A more efficient method is using a dictionary attack, this is where a hacker will compile a list of commonly used passwords and use those to try and guess the correct password of a user account. By using user enumeration, hackers gain usernames that they can use to perform these password based attacks and ultimately gain control of user accounts.

3 ways attackers leverage user enumeration

Theft of Contact Lists

Using methods like the password reset method we discussed earlier, hackers can steal lists of valid email addresses belonging to users. By doing so, they can create their contact lists of users. This list can be sold to marketing firms for money, used for phishing campaigns or for any other purpose the hacker wants. Many companies will pay for contacts lists in order to poach clients from other businesses or simply to have a larger contact list for their marketing campaigns, which make this a very lucrative business.

Credential Stuffing

Credential stuffing is an automated injection of stolen pairs of usernames and passwords into website login forms to gain access to user accounts. Using user enumeration, the hacker already has a list of valid usernames. They simply need to compile a list of commonly used passwords and combine them with the valid usernames to perform this attack. This is the reason that many applications have a limit on the amount of password guesses that you are allowed before an account is locked and a user must reset their password for login.

Social Engineering

This is the psychological manipulation of people into performing malicious actions or divulging information to an attacker. In a situation where hackers can gather email addresses for legitimate accounts, phishing emails can be sent to these accounts and used to target individuals using that service. Since the hacker knows what service the users are using, they can create phishing emails tailored to the users and therefore are more convincing, resulting in a higher success rate for the hacker.

4 Ways to avoid user enumeration attacks


Multi-factor authentication helps to ensure that the person on the other side of the screen is the legitimate account holder rather than a hacker trying to gain information. For example, rather than allowing anyone to attempt a password reset with a given email, you can add a feature where the person must authenticate using MFA before attempting a password reset. This extra step reduces the ability of a hacker to exploit this feature. Some common examples of MFA options include:

- Google Authenticator
- Text Message
- Push Notifications
- Automated Phone Calls
- Fingerprint
- Face Scans


Captcha is a challenge-response test used to tell if a user is a human or a computer. Captcha on websites is great for identifying computer bots that may be probing the website and attempting to perform enumeration attacks. Computer bots can perform brute forcing and other malicious tasks much faster than a human can, and by inserting a captcha on your website, you can filter out bots from your legitimate users and block them.

Generic Messaging

One way to limit user enumeration attacks is to use generic messaging on login pages. Password resets forms or other input pages on websites. Hackers often use the messaging from login attempts or password resets to identify active usernames/emails. By using generic messaging such as “username or password is incorrect” rather than specifying “password is incorrect” prevents hackers from being able to identify usernames via these pages.

Source @uxwritinghub

Rate Limiting

Rate limiting controls the rate of requests that can be sent to an application. Reducing the number of requests a hacker can make to an application or server makes it increasingly difficult for hackers to use requests to gain information on what usernames are valid. For example, limiting failed login attempts to 3-5 tries before locking out an account. This helps to mitigate the risk of hackers using automated tools to guess thousands of passwords in a short period of time and protects accounts from compromise. 


User enumeration is a technique used to identify valid usernames on a server or application. Hackers like using user enumeration to find a list of usernames they can use to compromise user accounts. The compromise of accounts can be done through many different methods, but some common ones include password-based attacks or phishing emails aimed at the account holder. To defend against user enumeration, you can use a few different techniques, including implementing MFA, captcha, generic messaging, and rate limiting. All of these techniques are effective in preventing user enumeration on your applications/servers. 

Was this post helpful?

About the Author

Shimon Brathwaite
Shimon Brathwaite is a cybersecurity professional, Consultant, and Author at securitymadesimple. He is a graduate of Ryerson University in Toronto, Canada. He has worked in several financial institutions in security-related roles, as a consultant in incident response and is a published author with a book on cybersecurity law. My professional certifications include Security+, CEH and AWS Security Specialist.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

May 17, 2023 by Omkar Hiremath

Risk of Security and Monitoring Logging Failures

Read more

Was this post helpful?

May 1, 2023 by Omkar Hiremath

Intro to Identification and Authentication Failures

Read more

Was this post helpful?

Dec 22, 2022 by Warren Moynihan

3 Types of XSS Attacks & 4 XSS Mitigation Strategies

Read more

Was this post helpful?


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured