No one is giving Facebook a free pass. We currently have no evidence whatsoever of a bug. On the other hand, we do know that wall posts could not be commented on pre-2009. Informal conversations were carried out with quick exchanges of wall posts. The whole conversation could be viewed with the "wall-to-wall" link. We used Facebook in a different way back then, and the conversations reflect that. If you have email notifications confirming that a private message is now public then please let us know. So far every person to check their records has found that there was no bug, they merely forgot how Facebook used to be.
According to one Facebook employee, private messages are stored on an entirely different system (MYSQL vs HBase). This seems perfectly reasonable, and precludes the possibility of a bad SQL query leaking private messages. http://news.ycombinator.com/item?id=4567009