Don't show "Welcome back" message when an account has timed out.
Whenever I go to theoldreader.com after not having been there for a while, I am greeted by a chirpy "Welcome back, <account name>"
Except it's a log in screen. I'm not logged in, and yet my account name is displayed.
Which means, tautologically, that my account information is being shown to people who have not identified themselves as me.
It's a bad look, and also a breach of data privacy laws. ... It may be a minor issue if one argues that the exposure is small, but you're still definitely leaking private information to someone who has definitely not been identified as me.
So, yeah. Maybe wait with registering the welcome back message until after all of the authentication checks, not just the one that managed to identify me?
... How should I put this? I feel quite strongly about this. I can't say I've been harmed by the issue, but this kind of thing is important.
<shrug>.
Have a continued good summer.