The hacker could of worked with the black market. They could use a botnet to slowly hack a large percentage of FB potentially. Seeing as how they disabled rate-limiting on a pubic facing beta with user data, why assume they would notice brute forcing against beta?
The attack involves resetting the user's password, which would have made the original user unable to access their own account until they reset the password back. After several such incidents were reported, Facebook likely would have cottoned on.
