Account Enumeration
What is Account Enumeration?
Account EnumerationAn attack that abuses application responses to determine which accounts, emails, or phone numbers exist on a target system.
Account enumeration exploits differences in how an application behaves when an account exists versus when it does not — distinct error messages on login, registration, or password reset flows, timing variations, or differing HTTP status codes. By probing many candidate identifiers, an attacker builds a list of valid accounts that can then be targeted by phishing, credential stuffing, or password spraying. The vulnerability is common in login forms ("unknown user" vs "wrong password"), password reset ("check your email" vs "no account found"), and signup ("email already registered"). Defences include uniform error messages, constant-time responses, generic notifications, rate limiting per IP and account, CAPTCHA on abuse, and MFA to mitigate downstream attacks.
● Examples
- 01
A signup form that says 'this email is already in use', letting an attacker harvest valid emails.
- 02
Different response times on /login for known vs unknown usernames, used to build an account list.
● Frequently asked questions
What is Account Enumeration?
An attack that abuses application responses to determine which accounts, emails, or phone numbers exist on a target system. It belongs to the Identity & Access category of cybersecurity.
What does Account Enumeration mean?
An attack that abuses application responses to determine which accounts, emails, or phone numbers exist on a target system.
How does Account Enumeration work?
Account enumeration exploits differences in how an application behaves when an account exists versus when it does not — distinct error messages on login, registration, or password reset flows, timing variations, or differing HTTP status codes. By probing many candidate identifiers, an attacker builds a list of valid accounts that can then be targeted by phishing, credential stuffing, or password spraying. The vulnerability is common in login forms ("unknown user" vs "wrong password"), password reset ("check your email" vs "no account found"), and signup ("email already registered"). Defences include uniform error messages, constant-time responses, generic notifications, rate limiting per IP and account, CAPTCHA on abuse, and MFA to mitigate downstream attacks.
How do you defend against Account Enumeration?
Defences for Account Enumeration typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Account Enumeration?
Common alternative names include: User enumeration, Identifier enumeration.
● Related terms
- identity-access№ 1196
Username Enumeration
A specific form of account enumeration in which application responses confirm whether a given username exists, helping attackers focus subsequent attacks.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- attacks№ 800
Password Spraying
A low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- network-security№ 904
Rate Limiting
Rate limiting caps the number of requests an identifier (IP, user, API key, or token) may make over a time window, protecting APIs and apps from abuse, scraping, and brute-force.