Uh, would we call this a MITM vulnerability? It seems that a user's unique identifier will appear within a hostname. So it will be exposed to their DNS provider(s) and intermediaries would be able to capture it through ordinary sniffing (unless the user is encrypting DNS traffic). Furthermore, that hostname will also appear in the SNI field during TLS handshake. So a party between the user and the TLS server would be able to capture it through ordinary sniffing. For purposes of discussion, the sniffing could be done through a passive tap. The sniffing party doesn't actually have to relay, let alone manipulate, any traffic. It only needs to receive a copy. The talk about using a captured unique identifier to access some information you shouldn't be able to access doesn't suggest that a MITM is required either.
Feh, just typical misuse of GET But the lesson here is to compartmentalize email, website, etc accounts. Using a given account across multiple communication channels links them. So each communication channel should have its own set of accounts. Don't cross the streams!