The stringified json of the session object was used as the user ID, so yes, stored in plaintext and visible via the admin UI. 😭