Usernames or emails can be enumerated under certain conditions with $CFG->protectusernames on

There is just a couple edge cases which $CFG->protectusernames doesn't correctly protect against when an account is in an intermediate state while unconfirmed.

Specifically:

1) A freshly created account whichis unconfirmed, you can request a forgotten password using their email and it will give you an error message instead of just re-sending the confirmation email so you can tell it is different from an already confirmed email

2) Same as aboe but using their username

3) Combinations of the above but when there is also duplicate emails in the system