Take it to the extreme and think about banking. You wouldn't want to have a system where you confirm and deny the existence of accounts for somebody who's rotating through a brute force. SSH logins for instance do this.
But if usernames are released publicly in forums, google crawled pages etc, then an attacker already knows the existence of a subset of the accounts at least.
For example, somebody attacking HN can crawl pages such as this one and determine that 'skeletonjelly' is a valid HN user.
Sure, but I guess there's no one single security model that fits all situations. I guess that's what I meant by "best practice". Obviously internet banking usernames wouldn't be listed somewhere public
