It wasn't that they could log into any account they wanted (that would be much worse); it was that they could view any profile page they wanted, so it was essentially like an employee could become "friends" with a user, without the user knowing, and without the user's consent.