I don’t mean to step into this one late (or on anyone’s toes), but I think this it sort of is a valid security issue. Maybe the username is available in a bunch of other places, but the less you let an attacker know about what they did wrong, the harder it is for them to tell what they did right.
By making the error vague, you might not keep a dictionary attack from succeeding, but it might give the casual attacker reason to give up.