The exact scenario is described in the non-public OTRS wiki: http://otrs-wiki.wikimedia.org/wiki/User:Church_of_emacs/mw_critical_bug
I remember having a discussion with Tim Starling and Brion Vibber when Wikimedia began to automatically create accounts on normal GET-requests. Tim and I had some concerns, while Brion rightfully said that the information of user:abc visiting a Wikipedia version on a specific date was a minor privacy concern. However, in the scenario (see URL) it seemed like this feature could lead to much more private information leaking.
Therefore I propose to disable automatic account creation on GET-requests and instead use only POST-requests to create accounts.
See also: T26755: Give other extensions a chance to stop auto creation