I'd be pretty surprised if an attacker could actually get away with a lot of sensitive, actionable bulk user data from Facebook. DMs would probably be way too big in total, unless they just looked for DMs of high-profile people.
As for passwords, they're probably not stored in a very crackable format (probably some kind of super-bcrypt-esque algorithm with a pepper). Of course, they could hijack the login procedure and harvest passwords in real-time until they're detected. That would still be really bad depending on how long they can evade detection - maybe millions of passwords - but at least it wouldn't be retroactive. And the password dump could still be bad for people looking to target individuals within the dump.
Maybe advertising data could be trimmed down enough to dump the whole thing? Every ad that accounts have clicked?
> Of course, they could hijack the login procedure and harvest passwords in real-time until they're detected.
Facebook makes it really hard for people to log off. Unless one is using a shared computer, I doubt she types her password more than a couple times a year.
