There isn't a lot of technical data on this one, but it seems that some network equipment on AT&T's wireless network gave a session cookie to another user. Thereby circumventing authentication and just giving Facebook access to a random person.
This could have been prevented by Facebook by using SSL for their connections, but it identifies an even scarier issue by the carrier. Data like this shouldn't be sent to random clients. AT&T remarked that it was fixing the issue, but no more details have come in.
Users should make sure to log out of their accounts when they are completed. This report is for Facebook, but could potentially work for any un-encrypted service that uses session cookies to keep state.