Hopefully they aren't able to get a list of all your user accounts. The IDs should not be iterable (like a UUID, for example!), and the friendly name (like an email address) is private information that shouldn't be getting out.

Generally, the subject tokens (short-ish, human enterable tokens) should only be active on a fraction of your accounts at any one time.