Private repository names are discoverable
By guessing repository names, anyone can discover the names of someone's private repos. For example, my user, gavinwahl, has a private repo named
private-repo. By visiting https://bitbucket.org/gavinwahl/private-repo this can be confirmed, because the page returns a redirect to the login page. I do not have a private repo named 'foo', and you know this because https://bitbucket.org/gavinwahl/foo returns a 404.
It should not be possible to gain any information about a user's private repositories. By using different behavior for repositories that exist or don't, anyone can learn whether a specific repository name exists or not.