You absolutely nailed it. As the researcher who found these vulns, I can confirm the over-engineering is real.

They literally had internal user IDs (ofId) already implemented and working, but kept the email-based JIDs for "legacy support." The entire XMPP system could have used these internal IDs from day one.

The "14 months to fix" claim was even more ridiculous when you realize the fix was just... using the IDs they already had. No architectural changes needed. They even admitted they had a 1-month fix ready but chose not to deploy it.

Your microservice translation layer guess is scary accurate - that's essentially what their "v2" endpoints were trying to do. They created new HTTP endpoints that used internal JIDs instead of email-based ones, but the XMPP layer still exposed everything, making the whole effort pointless.

The best part? After going public, they implemented the "impossible" fix in 48 hours. Turns out you don't need 14 months when the Internet is watching.