That's the problem with "social" usernames — they're meant to be known.
Another problem, Twitter appears to validate e-mail addresses:
Looks like nobody's home at jackd@twitter.com:
Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number:
But that's less than useless if Twitter won't actually let you add your number:
And just how "personal" is a phone number anyway?
Two-factor authentication?
Sure.
But Twitter should first stop validating e-mail addresses.
And then maybe it could add an option to disallow logins via the publicly known username.
Edited to add: On second thought…
How about this?
Twitter should stop validating e-mailing addresses in its password reset form.
And then, discriminate between using e-mail and username. If an account is accessed with the username — don't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators".
Example: regular @AP staff could login with "AP" — no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach).
Discriminating between e-mail and username — a way to distinguish between "admins" and "users".