Unclear if this is a security issue or if just the data that's being dumped by HHVM non-public, filing as a security issue initially to be on the safe-side.
I have been seeing in the logs recently (I can definitely confirm I've seen it for both 1.29.0-wmf.16 and 1.29.0-wmf.17) HHVM info-level messages that seem to just be a dump of usernames here is an example of 1 error: https://logstash.wikimedia.org/app/kibana#/doc/logstash-*/logstash-2017.03.23/hhvm/?id=AVr8w9atWOR5i8Oux1cj (around that time period there are many, the message is always unique -- it's a list of usernames -- so it's a bit difficult to point to a specific message in logstash).
Unsure who to tag about this. Tentatively adding @Tgr @Anomie @Legoktm since they're the login system pros.