Certainly the attack itself is not worth publishing: it's not in any way novel or interesting, the "anonymization" ejmr did was fundamentally broken from presumably day 1. Nothing the authors did here was new, novel, or complex - the only change is that what the cost of reversing has dropped from "a large organisation" to "a single PI's budget for a single paper" over 12 years.
We need to be very clear here: there is no part of the ejmr "anonymization" scheme that was correct for what they were trying to do. They did not salt the hash, the hash algorithm they used was considered deprecated a decade prior to ejmr existing, even the hash family they used is inappropriate for this purpose.
The reason for public disclosure of vulnerabilities is that the victims of those vulnerabilities need to know that they have been victims, and they need to know what information has been leaked by ejmr. Based on the actions ejmr took to change their hashing schema, it's fairly clear ejmr found out about the vulnerability (maybe the researchers told them, maybe the researchers were not unique in discovering this). But we also know that ejmr did not inform any of its users that ejmr had been leaking information about them for 12 years.
Which is why it is necessary to publish this information - if this paper did not detail how terrible ejmr's "anonymization" was, it's pretty clear ejmr would not have told its users, and as the HN and similar comments indicate, plenty of people would believe that breaking ejmr's system was too hard for anyone else to do.
I'm tired of repeating this: ejmr was not anonymous, their attempt at anonymization was trivially broken from day 1, and defeating the anonymization is absolutely trivial and is not remotely challenging - literally the only difficulty is how long vs how much money to spend.
