t3lib_BEfunc::blindUserNames might use wrong group list collection
The mentioned method used to blind usernames that are not in a set of defined groups uses a wrong group collection.
The check is performed on the be_users field "usergroup_cached_list", this is fine for the current logged in user, however for any other user this might lead to wrong results. The reason is, that "usergroup_cached_list" is written when a user is logged in (see t3lib_userAuthGroup::fetchGroupData()).
Thus, if the groups of a user have been modified, the "usergroup_cached_list" will stay unmodified until the next login of the accordant user.