Is this a security flaw?
It's hard to say!
It could be an intentional move on the part of a company to improve user experience for logging in. I know Facebook do this for the sake of user experience, which has been asked about before in a different way.
There a few articles out there about Facebook doing this, but I haven't managed to find anything from Facebook themselves. The only thing I did manage to find was this article which mentions asking a Facebook engineer about it.
This is quite hard to pull off securely, because any acceptance of passwords that aren't your actual password is almost guaranteed to be at the detriment of security, as discussed here.
If so, what should I do with this information?
If you can't find any information online about the company doing this sort of thing (though from your emphasis on the size of the company I feel like it could be Facebook?), I recommend reaching out to them. If they're sizeable chances are they've been asked this before, and should be able to answer you relatively easily. Some companies have published security team mailboxes that you should be able to send this question to.
The answer by @orbuculum has some good resources for how to handle the "what should I do" side of this. It's a tricky area because both extremes (i.e. overreacting and punishing the reporter vs. underreacting and ignoring your communications) appear at least from online reports to be fairly common in companies. If the company is as big and popular as you say, there should be less of a concern about this.
N.B:
While I was down the rabbit hole I also came across Locality-sensitive hashing which discusses methods of doing this within the hash function itself.