They wouldn't have to really brute force your account. In a guild with 300-500 people's user names exposed, you could run a handful of common use and elder scrolls themed passwords and probably compromise several with very little effort. Wouldn't be hard to guess email addresses from user names as many people, mistakenly assuming their login information would be private like most other games/websites, just use(d) their email -minus the "@gmail.com" part - as their user name. I'm sure there are many accounts that can/will be compromised in this manner. And with this information known, unscrupulous hackers won't be able to pass up such easy pickings. What have they got to lose? They'll have login user names, and with that they will easily be able to figure out a lot of email addresses, not to mention all the people that use common/easy passwords. Sure hackers will hack, I get it. But why make it any easier for them by handing them an important piece of the puzzle?

You ask why someone would join a guild with people that would do this? LOL! Like you can know who/what anyone truly is over the internet, let alone 1500-2000 random people you could be exposed to in 5 guilds and friends list, etc.! What a ridiculous thing to say.

I do think this puts everyone at an increased risk. I wasn't made aware that my user name was going to be exposed to anyone when I created my account. I assumed, like most other people, that my login information would be private like every other game I've played and every other website I've joined.

Another potential issue is I see is that it could make phishing quite a bit easier, and phishing is generally how most accounts get hacked. Take a given account name, add "@gmail, Verizon, Comcast, Hotmail, etc" onto it, and write an email addressed to that player using their account name, making it more likely that they would fall for a phishing attempt.

I for one see absolutely no advantage to using the @username system over a simple handle.

If they decide to hide your login name, it will be solely to ease the minds of people who don't understand computer security.

OP: There are no passwords that "cannot be brute-forced" (i.e. having a script try every-damn-combination of characters). To a computer, "GetAtMeBro111" is just as random as "HsdwYjef8HSd7"

That being said, having a degree in Computer Science, I promise you that if someone knows your username they are not any closer to hacking your account. Attempting to brute force the password will end up with your account being locked and requiring you to call them, enter secret phrases, etc. It's also fairly safe to assume that if you usually sign in from California and now you're suddenly in Saudi Arabi, your account will also be locked. I'm sure there are many, many security features behind the scenes.

Just like every other online account since the dawning of the internet, account hacking is the result of falling for phishing schemes, getting keyloggers from sketchy sites, giving your info to your friend who "promised not to tell anyone," etc.

My login is the same as my forum name, get to it.