Microsoft web applications expose visitors Microsoft Identifier (CID) in plain text. CID is used as part of the hostname for the location of user data for Outlook.com, OneDrive, and Microsofts account pages. The leakage of the Microsoft CID in clear text could allow threat actors to connect the company’s services to retrieve information on the targeted users. The disclosure of the CID makes each request visible to anyone that could monitor the DNS traffic. The CID could be used to access metadata from the Microsoft Live service, it is possible to access also information about when the account was created or last accessed time.”]
Source: https://securityaffairs.co/wordpress/40819/digital-id/microsoft-cid-exposed-plain-text.html