Uncheck the "Public Search Results" box in your Search settings. It's pulling from info you make public by checking the box.
That said, that box DOES NOT imply it's making your entire friends list public. It seems to say that only what's on the preview page is visible, but that's entirely wrong.
If it's the first, then that's definitely a problem, as anyone can be a FB user. In that case, care to post the command somewhere? This should be made known, as it's definitely a privacy concern, and FB tends to do nothing unless threatened.
After an initial backlash, Facebook made it relatively easy to remove your friends list from public search results, but it sounds like it isn't actually blocking access to them — they're just harder to find.
From Facebook's blog post ( http://blog.facebook.com/blog.php?post=197943902130 ):
"In response to your feedback, we've improved the Friend List visibility option described below. Now when you uncheck the "Show my friends on my profile" option in the Friends box on your profile, your Friend List won't appear on your profile regardless of whether people are viewing it while logged into Facebook or logged out. This information is still publicly available, however, and can be accessed by applications. "
Facebook should properly authenticate access to the URL given in the post, and reenable blocking all applications. That is, actually respect people's privacy, not just patch things up to superficially look like it.
