They got past Facebook's security, ergo Facebook has a security problem. The fact they used the clever technique of breaking into the security manager's home network is neither here nor there. This could have been fixed by, for example, requiring the engineer access any admin systems via a VPN or other secure tunnel (or only on-site)† and ensuring he doesn't use the same password for admin functions as anything else. Both of these are simple, straightforward, best practice security measures, so it's fair to say Facebook's security is bad.

† It isn't clear whether he accessed work-related stuff from home or not; it may just have been he reused a password between his internet accounts and his facebook roles.

Since Facebook uses SSL for authorization, an educated guess would be that they somehow intercepted the homepage of Facebook (which is not SSL-encrypted), and replaced with a phishing web page.

> Even though the title says the employees succeeded to bypass Facebook security, it seems they did so by breaking into the user's home network.

It's a great reminder that security can often be easily circumvented when using a "human weakness" (ie: corruption on so who has access to the system, passwords on post-its), than the system itself.

True, they did break into his own network, but that wouldn't matter if Facebook had a secure login page (SSL).

Facebook does appear to use SSL. If you look at the login form, they are submitting to: https://login.facebook.com/login.php?login_attempt=1

Which means next to nothing if the page with the login form isn't encrypted. A man in the middle attack would just replace the Facebook login page, and the user would likely never notice.