Is it really so hard to imagine that somebody, somewhere fudged a query and accidentally ran [pseudo-SQL] "UPDATE posts SET type='status' WHERE type='private-message' AND date = 'x' TO 'y'"?
I'll admit, it's a bit of a stretch; but the fact that these show up as wall posts is not necessarily an indication that there is no bug.
The bug may very well be that data has been manipulated to look like wall posts.
Unless Facebook discloses that these posts were flagged as "status updates" _in an archived version of their dataset_ (specifically an archive before the issue first manifested), this information means practically nothing. We could gather from the bug itself that these were flagged as wall posts in FB's backend.
According to one Facebook employee, private messages are stored on an entirely different system (MYSQL vs HBase). This seems perfectly reasonable, and precludes the possibility of a bad SQL query leaking private messages. http://news.ycombinator.com/item?id=4567009
Screenshot of old Facebook: http://news.ycombinator.com/item?id=4566962
Yes, it is hard to imagine, since they run on entirely different backends, one being mysql, one being hbase. See: http://news.ycombinator.org/item?id=4567009