This fixes a critical security vulnerability where non-imported profiles could authenticate as arbitrary users if their profile IDs shared any substring.