Comment 1 for bug 1158625

In order to avoid a username enumeration vulnerability on this, we should make sure that the message you see when trying to access a profile page you don't have access to, is the same as the message you see when trying to access a profile page that doesn't exist. This is especially true when clean urls are in place.

https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_%28OWASP-AT-002%29