Quote Originally Posted by AmiableApkallu View Post
Ever used a "Login with Google" button on some random website? Do you know what that website gets? A unique, internal account ID that Google has assigned to you. Details:
In technical terms, the login flow uses a protocol known as OpenID Connect. One the pieces of information the website eventually gains access to is a "sub" claim:
An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple email addresses at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.

Sending out unique identifiers isn't inherently insecure. It's what that unique identifier can be used for or tied to that is potentially the problem.
Inherently it isn't a problem, but with the way that FFXIV are doing it, it absolutely is a problem, and absolutely is not a secure way of doing it.

It has also been a very long time since I've touched OIDC, but I am under the impression the sub claim is only shared with the replying application/party that has authenticated and when said person has requested said information. I am also under the impression that it isn't just sending my sub claim to another random user.