Enumeration variant where the attacker measures response-time distributions for known-absent vs. candidate emails. Synchronous work (sending emails, ActiveRecord callbacks, Redis pool waits) lengthens the response when an account exists, so thousands of requests produce distinguishable timing distributions. Prevent by deferring all existence-dependent work to a background job (e.g. Sidekiq) so every request returns after the same constant work, and by rate-limiting login forms by email (with IP fallback to prevent lockout-based DoS).