It seems to me a fair bit of this bullet is overblown, since anyone who is concerned about connecting their Wikipedia account with their third-party account is free to just not link them, and if some attacker manages to break into our database to steal the account mappings we're probably going to be much more concerned that the attacker could also have stolen password hashes and email addresses.
Topic on User talk:Tgr (WMF)/external login
True (although we plan to move hashes to more secure storage, not sure about emails). The one scenario that is troubling me is where the attacker monitors the network traffic, detects the Wikipedia -> provider-> Wikipedia pattern that's indicative of an external login, and correlates it with public user activity. As long as we have public account creation logs / account lists it's trivial, and even if we hide them there it might be possible to identify the user over time from edits performed immediately after logging in. Granted, if you are worried about government tracking, you should not use external login... maybe we should just show a warning and use a cookie to make it one-time-only?
Would this service be covered by the Meta:Privacy policy? If so, presumably the following section would apply.
To Our Service Providers
We may disclose personal information to our third-party service providers or contractors to help run or improve the Wikimedia Sites and provide services in support of our mission.
As hard as we may try, we can't do it all. So sometimes we use third-party service providers or contractors who help run or improve the Wikimedia Sites for you and other users. We may give access to your personal information to these providers or contractors as needed to perform their services for us or to use their tools and services. We put requirements, such as confidentiality agreements, in place to help ensure that these service providers treat your information consistently with, and no less protective of your privacy than, the principles of this Policy.
Are you confident that Google or Facebook would agree to sign the WMF confidentiality agreement?
More likely this section would apply, considering that it would only be used when a user specifically links their Wikimedia wiki account to the third party for the purpose of authentication.
With Your PermissionWe may share your information for a particular purpose, if you agree.
Further, it's likely that MediaWiki itself wouldn't send any user-specific information to the third party. Everything the third party gets would be either the "Information We Receive Automatically" type (because they receive it automatically too, that's how the Web works) or things they might be able to derive by correlating the login with data that MediaWiki makes publicly available such as edits and Special:Log.
As Anomie says, the WMF would not share any information with the external provider; the provider would share information with the WMF (presumably a user ID, a username and maybe an email address), after getting explicit permission from the user. It's important to explain to users what information their browser will share with the provider if they use the login option, but that's not really something that would fall under the privacy policy. (In my non-expert opinion, anyway. WMF Legal would of course be involved before any serious planning.)
I'm glad to hear that you don't think that the proposal would rely on having other, possibly for-proft, parties signing up to WMF terms.