Facebook's approach to images seems broken security-wise all around. You can also get to non-public images if you know the URL of the jpg--- linking to the image page won't work, but a direct link to the JPG will happily serve itself up.
I've said it before, but I'd advise people change the email addresses they've attached to facebook. And definitely don't use the email address you give out to employers.
That's a pretty clever trick. I heard from some people that after doing the bulk upload thing, if your account in any way promotes a business, it gets shutdown after about a week. Anyone who uploads large contact lists to facebook gets into some type of human review system.