I would like to chime in and say thank you as well. I know i spent a pretty good deal of time trying to catch the bug, and found it to be very frustrating. I am very glad it was located and fixed.
What data where got stolen?Nothing, because that js that we inspected the first thing it does is a redirect and once you are out of arduino.cc domains you cannot read any data from the js. In addition we had a security mitigation not allowing untrusted js to read cookies where we store the session.