As described here, Cognito has a configuration to prevent user-enumeration during login. However, they forgot to apply this to user sign-up as well. Need to validate that this is still the case and add to Hacking the Cloud.