"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When a fake e-mail address was typed in they got a message that said "Unregistered Email. The email address you entered has not been registered."
Now, every password typed in gets the same message: "Your password has been reset. An e-mail has been sent to all contact e-mails associated with your account, including (the one typed in)."" - CNET
This is one of those flaws you rarely hear about that have a real impact. The primary reason for gathering this is to perform targeted phishing.