The hacker was spotted offering the credentials for sale on an underground forum. This image of the post in question was posted on Twitter by Mikko Hyponnen, CRO at F-Secure:
If the credentials are legitimate and the accounts exist, that means that 1 in every 300 accounts is compromised, and can be used by the buyers to prey on other users by spamming and scamming them - not to mention, to direct them towards sites serving malware. And people are more likely to fall for such tricks, since they have a tendency to trust other users that are encompassed in their (online) social circle.
Infoworld reports that Facebook has yet to comment on the whole situation, but I can bet everything I have on the fact that they are investigating the claim thoroughly.