That policy makes it clear that personal information can be gained from an IP address:
If you have not logged in, you will be identified by your network IP address. This is a series of four numbers which identifies the Internet address from which you are contacting the wiki. Depending on your connection, this number may be traceable only to a large Internet service provider, or specifically to your school, place of business, or home. It may be possible that the origin of this IP address could be used in conjunction with any interests you express implicitly or explicitly by editing articles to identify you even by private individuals.
It may be either difficult or easy for a motivated individual to connect your network IP address with your real-life identity. Therefore if you are very concerned about privacy, you may wish to log in and publish under a pseudonym.
Checkuser bit makes much easier to state a username to an IP, and there is nothing in the policy that allows anybody to 'publicly distribute' the username if a user logs in as an IP, except as noted here:
Wikimedia will not sell or share private information, such as email addresses, with third parties, unless you agree to release this information, or it is required by law to release the information.
What has happened here is that a username has been inquired about, an IP has been given, another username has been given, and now 'motivated individual', by the act of those being publicly distributed, is able to match those IPs, as recognized in the above policy, and find personal or private information.
There was no need and no policy allowance to post the username together with the IP address for public distribution. This is not the first time we have seen this done publicly. There is even another thread, about WJBscribe oversights
, were several issues of this kind of policy were brought up, and it reveals a bit of contradiction in when and how admin actions take place.