True, I wouldn't give Facebook a free pass on this alone.
Is it really so hard to imagine that somebody, somewhere fudged a query and accidentally ran [pseudo-SQL] "UPDATE posts SET type='status' WHERE type='private-message' AND date = 'x' TO 'y'"?
I'll admit, it's a bit of a stretch; but the fact that these show up as wall posts is not necessarily an indication that there is no bug.
The bug may very well be that data has been manipulated to look like wall posts.
Unless Facebook discloses that these posts were flagged as "status updates" _in an archived version of their dataset_ (specifically an archive before the issue first manifested), this information means practically nothing. We could gather from the bug itself that these were flagged as wall posts in FB's backend.
No one is giving Facebook a free pass. We currently have no evidence whatsoever of a bug. On the other hand, we do know that wall posts could not be commented on pre-2009. Informal conversations were carried out with quick exchanges of wall posts. The whole conversation could be viewed with the "wall-to-wall" link. We used Facebook in a different way back then, and the conversations reflect that. If you have email notifications confirming that a private message is now public then please let us know. So far every person to check their records has found that there was no bug, they merely forgot how Facebook used to be.
According to one Facebook employee, private messages are stored on an entirely different system (MYSQL vs HBase). This seems perfectly reasonable, and precludes the possibility of a bad SQL query leaking private messages. http://news.ycombinator.com/item?id=4567009