[NathanKP]

One possible fix would be to only allow an account to bind to a device ID if that device ID wasn't already linked to another account. This would prevent you from just fishing through their info by linking your account to random device ID's.

You'd have to know the email address associated with the account, but that of course means you are using the device ID as the username and the email address as the "password", which is still pretty bad in my opinion.

[Dublum]

If they're going to insist on binding ID to account, it seems like the simplest way to do it would be just to submit the ID as an additional parameter in the login POST request and associate it as a single transaction, but again, using the ID at all is problematic.

[rwestergren]

I think the best solution is to not trust the client in assigning the perfectFitId. The login POST should be able to determine the perfectFitId for the user after login and maintain a session through oauth or other session management process.