Regarding the original YouTube channel name system.
Google used to redirect from YouTube.com/name to YouTube.com/channel/name. So, naturally, creators started printing merch with the short form.
Then Google gave several of those short URLs to marketing brands, and claiming that the creators were at fault for using the short URLs (which had been stable for more than five years at that point).
The typical approach is to keep the PII in the backups encrypted with a user-specific key which is stored separately and can be deleted without touching the backups. I'd expect Facebook to do the same, but who knows?
As it happens, this incident was discovered by a curious user who had a script watching for new accounts with staff privileges, who brought the attacker's account it to the company's attention (in chat) because it looked unusual.
Stack Overflow seem to be following a very responsible incident response procedure, perhaps instituted by their new VP of Engineering (the author of the OP). It is nice to see.
Google used to redirect from YouTube.com/name to YouTube.com/channel/name. So, naturally, creators started printing merch with the short form.
Then Google gave several of those short URLs to marketing brands, and claiming that the creators were at fault for using the short URLs (which had been stable for more than five years at that point).
Pretty lousy.