It's still fair to say that prosecuting after the fact, if you can find the person responsible, is a pretty shoddy way to run your security. And if you acknowledge that, then it isn't difficult to see the value - both to product and to PR - of choosing to be magnanimous with the benign ones. It's still fair to criticize Facebook for an overreaction which appears to be a way to cover its own ass and deflect attention from the larger issue, namely, that it should have spent to prevent this in the first place, and that nobody knows who else is accessing user information.