If member.php does not properly check permissions, an attacker could gather usernames, emails, join dates, or even hashed passwords from old backup files.
I was looking for a specific user, a moderator named Vektr who had vanished in 2019. I clicked through the member list, navigating the standard URL structure: If member