Attack that lets a third party discover which email addresses or usernames have accounts on a service. Happens on registration forms ('email already taken'), password-reset and confirmation forms (differentiated 'no account' messages), and sometimes login forms (different messages for wrong credentials vs unknown email). Privacy risk — especially severe for sensitive apps (addiction support, HIPAA-regulated services). Mitigations: neutral messages for all paths ('we sent you an email if the account exists'), and performing existence checks asynchronously in a background job to make response times indistinguishable.