TLDR; PadId was being broadcast to Read Only Clients.
Vileda discovered an issue where in certain conditions the pad ID of a user was being broadcast to users on a Rad Only Pad.
We fixed the issue within minutes of hearing about it (24 minutes to be precise).
You will need to checkout develop to get this security patch, we will be doing a major release soon-ish.
We will release specific details in a few weeks once everyone has patched up.
git checkout develop
git pull
/etc/init.d/etherpad-lite restart
Should be all you need for now.