Well, the issue is in authentication process, an attacker able to enumerate registered users on the site via brute forcing the login page, in case when user is not exist, system returns the following error message: "User not exist", in case when user exist, but incorrect password: "Password does not match".
Mitigation: handle the above situation correctly, e.g.: "Login failed. Invalid user ID or password". This doesn't inform the attacker on which credential is wrong and make enumeration more difficult