Just noticed this and when Googling it has been picked up already, so this isn’t new, but the wp-statistics module (v13.0.8 for sure but likely others too. Will edit this when I have done some more research) seems to be logging information into the “wp-statistics.log” file in the root directory of the site it is installed on. You can therefore access it and read the IP addresses of visitors to a site if they have the addon enabled by visiting domain.tld/wp-statistics.log

You can block external access to it in the .htaccess file via:

<Files "wp-statistics.log">  
  Require all denied
</Files>

Hopefully they fix this soon, preferably by moving this file into the plugin folder and securing it.