Disclosure of usernames and user IDs is not considered a weakness

The Drupal Security Team does not consider it a vulnerability that there are ways to determine a registered member's username and/or user ID value (i.e. the numeric uid).

Justification for considering username/uid to be sensitive information

This information may be useful to help an attacker gain access to a site. Once an attacker knows the username they have half of the information necessary to break into a site. Many security researchers and experts consider it to be a security weakness for a system to disclose the usernames available on a site.

Drupal's philosophy

Usernames are an important part of online identity. Having a public username helps other users of a site to know the identity of the person they are interacting with, in a forum or a blog. Drupal is primarily intended to be used for sites where identity and interaction are key elements so it is reasonable for that information to be public.

Potential mitigation

Administrators of sites that are concerned about this form of attack should look to increase the strength of their login process. For example, use the Yubikey or Swekey or similar modules. It is also possible to obfuscate the name used for login by displaying the real name of users with the RealName module and reduce the likelihood of username enumeration with the username enumeration prevention module.

Another strategy is to limit the users to log in to the site using only their email address. In this case, knowing the user name has no security implications because it can not be used to log in. The Email Registration module provides such support out of the box, or if you prefer, the Login Email or Username module can help you on that in combination with a custom user login form validation via hooks.

Those interested in making usernames a more private piece of information should work on #3241232: [policy] Treat username enumerations as security bugs that require Security Advisories.