I know of one community website that allows users to use custom third-party CSS and that shows a user's email address in the settings page, so I think you could at least leak email addresses through this (you can target a single input with the fake font, and email addresses aren't random, so the caveat of repeated characters not showing isn't that problematic).
This site doesn't allow password unmasking, but if it did that would also make it quite vulnerable on this front.
This site doesn't allow password unmasking, but if it did that would also make it quite vulnerable on this front.