Facebook is hardly a paragon of security and privacy, even when everything is up and running properly. So it getting hacked is hardly a surprise. Fortunately, no user data was compromised, so really what this boils down to is Facebook being embarrassed.
So what happened, precisely? Facebook’s security blog lays it out:
Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.
We have found no evidence that Facebook user data was compromised.
In other words, whoever installed this exploit wasn’t looking for Facebook specifically. It was essentially the virus version of a dog poop that blends in with the sidewalk, waiting for people to step in it.
It’s likely the attack was just looking for proprietary data to sell: Facebook’s pipes and wires, not user data, because, let’s face it, it’s not like that’s hard to get.