diff --git a/changelog.d/12738.type b/changelog.d/12738.type
new file mode 100644
index 000000000000..059ebf9c06dd
--- /dev/null
+++ b/changelog.d/12738.type
@@ -0,0 +1,7 @@
+Currently when a user attempts login before registration, we respond with 403 and an empty string message.
+In cases where a user was registered and bound to a 3pid already, we return "Invalid Password" as a message.
+2 issues arise from this behavior:
+- The major one is user existence leak. Having 2 different error messages for unregistered users and registered users who've entered the wrong password essentially leaks the information about that particular user's existence.
+- While another issue is having a non-informative error message in the current approach. As the user wasn't yet registered, it has no password, so essentially no password is valid, implying the need to return "Invalid Password" instead of just "".
+
+Contributed by Daniel Aloni.
\ No newline at end of file