A fun though experiment for a bug like this would have been to test lists of emails against validating the ability to FaceTime call with the email and determine if it was used as the iCloud email address...
Had this bug gone unknown longer - then you'd have a list of all the endpoints you could spy on.
Had this bug gone unknown longer - then you'd have a list of all the endpoints you could spy on.