Facebook just disclosed that that their White Hat program has discovered a potential bug that could allow contact information, including email and phone numbers, to be accessed by other uses who have some type of existing connection. You can see a copy of the email above, which they're proactively sending affected users. In a blog post, though buried after several paragraphs of mitigation, Facebook said:
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
It's a lot to unpack, so read it carefully. If you received an email, read it doubly carefully. Then let us know what questions, concerns, and overall thoughts you might have.