The attack involves resetting the user's password, which would have made the original user unable to access their own account until they reset the password back. After several such incidents were reported, Facebook likely would have cottoned on.