> bots with targeted email could scan for site accounts
Indeed. A good login form will give away nothing about whether or not the attempt failed because the username doesn't exist or because the password was wrong, or anything that leaks to a malicious party information. There's always a balance between security and convenience, and where that balance lies is determined by your threat model. It's almost universally an anti-pattern to respond in a way that lets a potential attacker that they've found a valid username for your site.
Indeed. A good login form will give away nothing about whether or not the attempt failed because the username doesn't exist or because the password was wrong, or anything that leaks to a malicious party information. There's always a balance between security and convenience, and where that balance lies is determined by your threat model. It's almost universally an anti-pattern to respond in a way that lets a potential attacker that they've found a valid username for your site.