Yeah, this is pretty much the cardinal sin of infosec right here. I get that the circumstances that led to this were complicated, but honestly for a system used by so many people who will likely use the same password somewhere else, there should have been some sort of automated thing setup to make sure this can't happen anywhere, similarly to how major banks and other highly regulated companies will use that same kinda thing to scan for PII in the wrong places.
As for the actual impact on users, they're saying that they haven't detected any external access, but of course the danger is that there has been external access that they don't know about. Recommend changing your password on FB, and on any other services that you use the same password for (make sure they're unique after changing them).
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.