Although this now does not look like a security problem, we should always be wary about putting personal information on any community site.
I suppose most users (e.g. moderators) do not have access to PMs, but unless vBulletin (the software used here) is encrypting the PMs we post, they are accessible by anyone who has database access. That would include administrator type access as well as IT and support people including third party contractors.
to understand how private information is shared and protected.
The bottom line on the internet and social sites, is that no personal information can be truly protected absolutely.