BusinessWeek is running a great article on bug hunting by companies such as Facebook, Google and more.  One of the featured bug hunters is Imperva's Tal Be'ery.  Here's Tal's account of finding that particular problem with Facebook and how it was reported.

On the 29^th of July, Imperva's ADC team was exploring the login mechanisms of several prominent web applications including Facebook.

We were hoping to learn about the adoption of advanced security mechanisms, but you can imagine how surprised we were when we found out that Facebook's registration process was performed over HTTP with no encryption at all – leaving all the registration details including the password exposed for an eavesdropper.

For the sake of brevity, some irrelevant HTTP headers were removed, but here are the relevant part of the POST parameters:

This was a violation of Facebook's current privacy policy:

We keep your account information on a secured server behind a firewall. When you enter sensitive information (such as credit card numbers and passwords), we encrypt that information using secure socket layer technology (SSL).

Moreover, it was a risk to the privacy of Facebook's user base, about 500M at that time.

After we made sure that the violation is indeed valid and not an artifact of our testing environment, we reported the issue to Facebook.  They had acknowledged the security vulnerability and fixed it by August 15^th.