The upshot is that there isn't a lot of reason to believe that FB was deliberately furnishing user info to the advertisers; rather, the thing is that they *weren't* sending ads through the same hoops that apply to normal external links. It all hingers on the "Referer" feature that is built into the web: browsers generally tell webpages where the user got to them from. This is pretty useful in a lot of ways, but can leak information: if the URL you came from contains, say, your Facebook user ID, the page you are going to can find that out.
I gather from the article that FB goes to some effort to scrub that referrer information for normal links from the site (by forcing the link through an indirection), but wasn't doing so for ads. FB is claiming that this was accidental, and promptly fixed it. Frankly, I'm inclined to believe them, at least to some degree: in a company like that, it's not at all unusual for the left hand to not know what the right is doing, and it's quite plausible that the people running the guts of the site had little insight into how the ad program worked.
None of which lets FB entirely off the hook, mind -- the story still supports the notion that FB just hasn't *cared* very much about user privacy, and either doesn't have clear guidelines about it or hasn't been doing the sort of audits necessary to be serious. But it does sound like this was just another instance of that pattern (supporting lots of other evidence that's been coming out lately), rather than them deliberately passing the user info under the table.