Possible username harvesting

Hi, we’re running an on-prem 11.11.8 GitLab cluster that’s exposed publicly. The service backs a custom made app that relies on the gitlab API. Signups are disabled.

We’ve noticed a brute force attack against GitLab using actual usernames from accounts on our system. It’s not clear to us how those names could have been exposed. We’re using haproxy fronts and are redirecting these otherwise public paths to the homepage:


Could there be any other paths or API endpoints that would expose our account list?