The bug was exposed in a message posted to the Hacker News website. The message contained a search string that, when used on Google, returned a list of links to 1.32 million Facebook accounts.
In some cases clicking on a link logged in to that account without the need for a password. All the links exposed the email addresses of Facebook users.
The message posted to Hacker News used a search syntax that exposed a system used by Facebook that lets users quickly log back in to their account. Email alerts about status updates and notifications often contain a link that lets a user of the social network respond quickly by clicking it to log in in to their account.
Source: BBC News