"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page
they got a message either saying that their password had been reset or
that an e-mail with instructions on how to reset the password had been
sent to their e-mail account, thus providing verification that the
e-mail address is legitimate. When a fake e-mail address was typed in
they got a message that said "Unregistered Email. The email address you
entered has not been registered."
Now, every password typed in gets the same message: "Your password has
been reset. An e-mail has been sent to all contact e-mails associated
with your account, including (the one typed in)."" – CNET
This is one of those flaws you rarely hear about that have a real impact. The primary reason for gathering this is to perform targeted phishing.
Read more: http://news.cnet.com/8301-1009_3-10205476-83.html?tag=mncol
