The Echo Notification Mute (Block List) (introduced in T150419) can by bypassed by changing your username. This is a security issue because it is a form of access bypass: User Apples removes access of User Bananas to send notifications to User Apples. User Bananas then changes their username to User Oranges. User Oranges can now send notifications to User Apples and thereby bypass the access restriction imposed by User Apples.
This is because the block list is stored as a new line delimited list of usernames in the user_properties table. The Renameuser extension does not update the username in the preference(s).
This could be resolved by updating Renameuser to update the preference for every user. But this would be an expensive operation as it would have to go through every user and update the preference (if the username is in their list) or it would have to do a fulltext search (and exclude instances where the is part of a different username). Regardless, that is also expensive.
Alternatively, the Mute list should be updated to use the centralauth id retrieved from CentralIdLookup.
Another solution could be to use a separate table rather than a user preference. But ideally should still use a centralauth id, so perhaps that is outside of the scope of this issue.