“The connection leaks a unique identifier that can be used to retrieve the name and profile photo in plaintext.”- Annoyed MS User

The blogger is located in Beijing…and his discovery has been confirmed by Ars Technica. according to Steven Parker at Neowin.

“There are really two problems: one being that CIDs get unnecessarily disclosed—in host names, sharing links, etc.—and the other that there are important, potentially personally identifying information about a Microsoft account that can be revealed simply by knowing its CID.
For most users, the simplest workaround is to modify the hosts file to avoid DNS lookups to cid-___.users.storage.live.com (where the blank stands for your CID (in 16-character 0-padded hexadecimal form)).  This won’t help, of course, if you must use a proxy server or make your DNS lookups remotely (as with Tor).  Also, this isn’t an option on most smartphones.

As we said in the beginning, when you use one of the free web apps from Microsoft and the host name containing your CID is resolved, the request is visible to anyone who can monitor your DNS traffic.  This includes everyone from your local coffee shop packet sniffers, to your ISP, and eventually to the men and women defending national security at the Internet backbones.  If you use Tor, your CID is visible to the exit node.” – ibid

So…until MS migrates all the accounts to Exchange.com (which they’re doing), or fixes this (which they say they’re doing), you’re vulnerable to tracking and retrieval of information, account pictures and do what they wish with them, know your display and maybe real name and when you created the account and still use it.

Sources:

http://www.neowin.net/news/your-microsoft-account-identifier-is-stored-in-plain-text-exposing-you-online

https://annoyedmicrosoftuser.blogspot.com/2015/10/microsoft-stop-sending-user-identifiers.html