For usernames it might be true but many sites use emails instead of usernames (and rightfully so, it's already complicated for people to remember passwords without forcing them to also remember an unique username).
Emails are more personal and might be easier to link back to personal information. Thus, confirming that there is an associated account with a given email is also a privacy leak, because maybe people don't want to reveal that they have an account on a specific website.
But don't you leak the same information during registration? What happens when a user tries to sign up with an already existing email address? Don't you return an error saying that email has already been used?
email addressess are frequently public information anyway, and often get leaked through other methods like giant CC list emails. Unless you have a specific reason to conceal email addresses, I'd argue that the cost of keeping that tiny nugget of information secret is too high for the level of security it adds.
And as they say in the article, that information is already leaked by the password reset process: "No email by that name available".
Would the argument then be to change the password reset process to something like, "After we verify that this address exists in our records, a password reset email will be sent to it."
Is the user supposed to sit on their hands, wondering whether the email is still coming? Email is far from instant, especially 'password reset' emails, which I've received hours later in some cases. At what point does the user decide to try another of their email addresses? Or do they just try them all (also painful) and just wait to find out which one return a result? What if the user misspells their own email, a common occurrence? They'll never get an email, and never get an indication that they failed.
"But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists"