Usernames and userIDs on WordPress are by default exposed to the public via a REST API virtual endpoint.
Test this by using this curl command:
"curl http://test/wp-json/wp/v2/users"
"curl https://test.com/wp-json/wp/v2/users"
After Executing the curl command above you should be met with a json file listing various users, in my experience most users are listed but not always 100%
The Virtual endpoint has non authenticated access configured for the public.
To resolve this traverse to your .htacess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users [OR]
RewriteCond %{REQUEST_URI} ^/wp-json/oembed/1.0/embed
RewriteRule .* - [F,L]
</IfModule>
See "Eplanation.pdf" for configuration breakdown