Thanks mc_dominic! That was the issue. It’d be helpful if MailChimp prevented users from choosing account names that are not URL-safe.
I’m looking through the 3.9 and 3.9.1 release notes and see nothing about either being a security release. Why are you being so alarmist?
I downgraded to WordPress 3.8.3 and am still seeing this problem.