HTTP 401 Unauthorized or 403 Forbidden for a “disabled” user?

Question

An authentication service allows user accounts be disabled (a sort of soft-delete).

If the server then receives an authentication request for a disabled user that would

Answer 1

I've got two different answers for what to return in this case.

Semantic choice - 401 Unauthorized. In this case, your client has provided credentials, and the request has been refused based on the specific credentials. If the client were to try again with a different set of credentials, or if the account were to be re-enabled in the future, the same request might succeed.

Security choice - 404 Not Found. Many services will simply return a 404 for any failure, in order to avoid information leakage. Github comes to my mind immediately.

From General API Information, in github's developer docs:

Unauthenticated requests will return 404 to prevent any sort of private information leakage.

For something I was deploying as a public service, I'd probably go with using 404 to avoid giving an attacker clues about their credential attempts. If it was for internal-only consumption, or in testing, I'd probably return 401.