This is almost the same as T139570. Make sure you are logged to enwiki and aren't blocking third-party cookies, then switch to some non-WMF site, and try this in your browser console:
$.getJSON("https://en.wikipedia.org/w/api.php?action=parse&prop=headhtml&format=json&callback=?", function(r) {console.log(r.parse.headhtml["*"]);})
The expected result is for patrolToken, watchToken, and csrfToken to equal +\, and the whole response to be indistinguishable from the response to the same request made without cookies.
The actual result is the full (40-digit) tokens for your account. There are also a few other pieces of private information there, such as your skin and language choices.