The identifier in question is known as the CID, which is a 64-bit integer (usually formatted in unsigned hexadecimal form) persistently associated with each Microsoft account, and is widely used in Microsoft APIs to identify users.
So, what’s the problem?
What’s the problem with this? Well, it turns out that the CID can reveal quite a bit about the account owner. For example, if your account’s CID is 039827D56AE85E00 and Alice knows it, she could
- download your account picture (and do evil things with it);
- know your display name (and maybe real name) is “Johnny Fellows” on OneDrive.com (and cyberstalk you and your family); and
- know that you created this account on December 2, 2013 and that you still use it.
These are not the only pieces of information that can be revealed. In fact, the settings of some legacy apps are publicly accessible; for example, if you let the Calendar app display weather forecasts, Alice will be able to learn the location and temperature unit of your choice.
(The CID 039827D56AE85E00 mentioned above belongs to a demo account, and was published in a Microsoft blog post, so it’s harmless to post it here.)
As we said in the beginning, when you use one of the free web apps from Microsoft and the host name containing your CID is resolved, the request is visible to anyone who can monitor your DNS traffic. This includes everyone from your local coffee shop packet sniffers, to your ISP, and eventually to the men and women defending national security at the Internet backbones. If you use Tor, your CID is visible to the exit node.
Update — As suggested by vbezhenar, the CID is visible to eavesdroppers even if no DNS lookup is made. The CID, as part of the host name, is sent in clear text during TLS handshake in a process known as Server Name Indication (SNI).
When you use an HTTPS proxy server, the host names are visible to anyone who can access the web traffic log. This may be the case, for example, at schools and libraries that use proxy servers to filter web content.
In addition, when you share a file on OneDrive, you get a URL that contains your CID. (Files on OneDrive are identified by a CID and a sequence number.) So before you share this URL with someone else, think twice.
And there’s more. If you have linked your Microsoft account with your Skype account, anyone who knows your Microsoft account’s main alias can also obtain your CID using the People app.
It should be mentioned, though, that Microsoft has started to migrate Outlook.com mailboxes to Exchange Online, so the current People app will be phased out eventually. (That said, the current “Outlook Mail (Preview)” on Exchange Online still loads your account picture from the same URL.)
What to do
Let’s wrap it up. There are really two problems: one being that CIDs get unnecessarily disclosed—in host names, sharing links, etc.—and the other that there are important, potentially personally identifying information about a Microsoft account that can be revealed simply by knowing its CID.
For most users, the simplest workaround is to modify the hosts file to avoid DNS lookups to
cid-___.users.storage.live.com(where the blank stands for your CID (in 16-character 0-padded hexadecimal form)). This won’t help, of course, if you must use a proxy server or make your DNS lookups remotely (as with Tor). Also, this isn’t an option on most smartphones.
Perhaps I’m being a bit paranoid; perhaps not. If you are concerned, you should tell your thoughts to Microsoft. Fixing the problems should be easy on Microsoft’s part.