And we don't just mean they could see all those pictures of you drunkenly fingering that elephant pinata at your cousin's birthday blowout. Facebook was accidentally leaking access tokens to advertisers, developers, every-damn-body. Theoretically, these tokens could give a third party the ability to post as you on your profile, as well as look through literally everything you've ever posted on Facebook. As many as 100,000 apps had tokens leaked to them over a period of years.
"What other social network are you going to use -- MySpace?"
It's not directly Facebook's fault, except where they've been completely negligent about what goes on on their servers. Most Facebook apps are developed by third parties that can basically hijack the service for whatever dubious purposes they like, as evidenced by the plague of Facebook app viruses that spread thanks to people's tendency to click on anything that looks vaguely like a picture of boobs.
"Tits? Hell yeah I'll let you have access to my hard drive."
"Can you believe Bill is flirting with Jane and Sarah? Let's try to sell penis enlargers to all of them."