Tommy DeVoss discovered a security vulnerability that allowed him to view the private email addresses of any Facebook user. The bug was tied to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network s platform. DeVoss said on Thanksgiving Day he discovered the vulnerability and reported it to Facebook via its bug bounty program. Facebook said it would award DeVoss $5,000 for the discovery and implemented a fix to prevent the issue from being exploited.
Source: https://threatpost.com/clever-facebook-hack-reveals-private-email-address-of-any-user/122723/