diff --git a/backend/internal/usecase/usecase.go b/backend/internal/usecase/usecase.go
index e211862..5b20b1b 100644
--- a/backend/internal/usecase/usecase.go
+++ b/backend/internal/usecase/usecase.go
@@ -630,7 +630,8 @@ func (s *Service) RegisterAccount(ctx context.Context, company *domain.Company,
 func (s *Service) Authenticate(ctx context.Context, username, password string) (string, time.Time, error) {
 	user, err := s.repo.GetUserByUsername(ctx, username)
 	if err != nil {
-		return "", time.Time{}, err
+		// Return generic error to avoid leaking DB details or user existence
+		return "", time.Time{}, errors.New("invalid credentials")
 	}
 
 	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(s.pepperPassword(password))); err != nil {