Few things to mention.
I believe NodeBB should return a generic error message such as "Email or Password is incorrect".
Is it also possible to restrict guests from viewing the Users page/list?
Also, is there an option to enable email login only? I think this would add a layer of a security as an outside(or inside) attacker can't easily guess user emails.
This is obviously for those of us that are extra paranoid. Any thoughts?