Kyun is switching to a new system called Account Hashes. If you've ever used Mullvad, this is similar to their "Account Number" system.
Instead of usernames, authentication will be done using these hashes. Here's an example hash: TZVM26VB
For the time being, you can still log in by entering your email/username in the "hash" field.
In our September security audit, a weakness in the authentication system was pointed out: given enough time and motivation, an attacker would theoretically be able to get a list of Kyun usernames & emails by bruteforcing the login and register endpoints. If an username is taken, they would obviously get an error code, as there cannot be 2 accounts sharing the same email/username.
Kyun can be used 100% anonymously, and we constantly try to make it easier for people to be private. It's easy to slip up. If you know internet history, you know about the Silk Road case, where Ross Ulbricht was advertising his drug marketplace on the Bitcoin forum using the username "altoid". Years later, law enforcement found that the username had been used for accounts tied to his real life identity on other websites. You probably know the rest of the story.
Using the previous system, there was pretty much no way to fully mitigate this attack. Because we have first class support for Tor, per-IP rate limiting was impossible. CAPTCHAs were implemented a while back but were removed because guess what: they were annoying. A PoW CAPTCHA would have worked a little better, but it would've only slowed the attacker down a bit.
The new account hashes are basically impossible to bruteforce. The entropy is exactly the same as Mullvad's account numbers, 40 bits, but the hashes are shorter because they're encoded as Base32.
Even if someone managed to find a hash somehow, it wouldn't help much, provided you use a good password and 2FA.
Because it sounds cool. They're just 5 random bytes, not even hashed, base32 isn't a hashing algorithm.