When the AD/LDAP User Filter is too permissive, multiple user objects with the same Email Attribute may be returned. When this happens, and the Username Attribute is not present on the returned value, Mattermost may reset the username of the existing user with the same email address to a random string. This repeats every 60 minutes (or whatever the Synchronization Interval is set to).

For example, if two LDAP objects are returned:
{ userclass=contact, email=myusername@example.com }
{ userclass=user, sAMAccountName=myusername, email=myusername@example.com }

In this case, Mattermost may cause username@example.com's account to have its user id changed to a random 37-digit base-36 number

When this occurs, tracking the problem down is very difficult. The only information in the logs is that the username for several accounts changes to a new random value every hour.

To make this simpler, Mattermost's logs should indicate when the AD/LDAP system returns duplicate entries for the ID attribute.

(Mattermost Support suggested I file this as a Feature Request, although it feels like a bug)