It wasn’t exploiting a vulnerability, they gained access to other peoples data because the site has a deliberate feature to share your data with your relatives if both have allowed that. That’s why the term used is “scraped”, they copied what the site showed.
When someone logs in to a Facebook account, it’s not a vulnerability that they can now see all of the info their friends have set to “friends only”, essentially.

Also they used a botnet so the login attempts weren’t suspicious enough to do anything about - they weren’t brute forcing a single user multiple times, but each trying once with the correct password.