Obviously the company and nature of a site will dictate whether leaking that information is considered a "flaw" and how bad a one.

Depending on how user sessions are tracked, being able to predict other valid "user ids" based on your own is an important first step to attacking other accounts.

It isn't unusual to find other flaws that will enable you to pull more (potentially sensitive) information about users or even "impersonate" users when armed with knowledge of someone else's valid user id.

Non-public companies certainly don't have too many obligations to publish information on the amounts of customers, numbers of transactions, etc they are doing. Even public ones won't break a lot of that out.

One of tptacek's strangers (competitors?) being able to tell how many paying online subscribers a newspaper has signed up would probably make someone in management squirm.

Likewise with being able to tell how many transactions an Internet Banking application is pumping.

Both of those are real examples.

Competitive intelligence - http://en.wikipedia.org/wiki/Competitive_intelligence- competitors can gather information about your business, make estimates about the health of your business, etc.