My buddy who made the vBulletin 4 to 3 downgrade script was tweaking his script and noticed the issue and tested it, which spit out the full database details to the 3.8.6 forum, a guest can query it.
I strongly recommend (if you run 3.8.6) to remove faq.php
and then change your mysql database details as a precaution.
Pitch (bug scrubber) was on IRC with us, assigned it to lead developer Kevin, so IB is now aware of it.
This way (we asked to create bug report), http://tracker.vbulletin.com/browse/VBIII-12798, and this thread, now customers are too.
Good luck everybody!