If an attacker can harvest the list of usernames for a site, they have half the authentication information they need to access those accounts.