@zahid wadiwale Yes, I agree to you but this is not an actually vulnerability. This us just a Step 1 for a hacker meaning if the username has been inputted and let's say a super weak password has been guessed by the hacker then there is a small possibility that hacking can happen. This is just hypothetical and more likely that it will not happen. But some popular social media platforms does not allow the use of usernames for login (but I prefer not to mention a name/brand)

By the way, I have made a component (based on the OSSN Core code and Arsalan's discontinued component) to only allow logins using the email address only, thus making the username unusable for login.

You can have a try here: https://www.opensource-socialnetwork.org/component/view/6579/strict-email-login

lol @ easily hacked.

that's a good reply, thank you Matthew.

Zahid,

I can get your username by clicking on your profile in Facebook. Does that make your account any easier to hack? Same goes for Google+, Twitter, Instagram, MySpace, et al.

The "difficulty" in hacking doesn't start at username discovery. Even if I had a username, I would still need access to the database table which stores the information, the algorithm used to hash passwords, the salt, and a number of other things the common desktop computer would take +years to break. A "hack" is by definition a term that indicates exploitation or altering of code.

Simply put, knowing someone's username != hack. It's conducive of nothing other than knowing the identifier someone chooses to go by. That's more of a concern left to user discretion and has nothing to do with OSSN.

I am an ethical hacker and red team analyst.

This is a totally false and didn't result in any hack, this is not a issue.