diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md
index 906480586b769..57a442512d9f6 100644
--- a/packages/@aws-cdk/aws-cognito/README.md
+++ b/packages/@aws-cdk/aws-cognito/README.md
@@ -582,7 +582,7 @@ pool.addClient('app-client', {
 An app client can be configured to prevent user existence errors. This
 instructs the Cognito authentication API to return generic authentication
 failure responses instead of an UserNotFoundException. By default, the flag
-is not set, which means different things for existing and new stacks. See the
+is not set, which means the CloudFormation default (false) will be used. See the
 [documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html)
 for the full details on the behavior of this flag.
 
diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
index 99ddaac75e595..549b0c60ef5f5 100644
--- a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
+++ b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
@@ -243,7 +243,7 @@ export interface UserPoolClientOptions {
    * user does not exist in the user pool (false), or whether it returns
    * another type of error that doesn't reveal the user's absence.
    * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html
-   * @default true for new stacks
+   * @default false
    */
   readonly preventUserExistenceErrors?: boolean;