In an not-yet-authenticated state your code should do everything it can not to tell a potential hacker something they do not already know. Being able to check if an account exists and being able to read of the full name associated with it are not the worst problems in the world (though knowing the full name could make fishing attacks slightly less unconvincing) but if you take the attitude of never telling an attacker anything no matter how innocuous you think the information is then you are less likely to accidentally let something sensitive slip due to a bug.