After further investigation we have to correct a few things:
The problem isn't with the login directly, it's the site redirected to. There is also a link to this faulty site in the menu and if the user clicks this link the same problem happens. So it seems dnn should resolve url "website/foo/bar" to "website/bar/foo/[userid]" but fails to do so (for this one specific user) with the result "website/bar/foo/[brokenusername]". Does someone know where this masking/rewrite/redirect of the original url could happen?