The important thing about this bug is that it allowed log-ins without passwords. No passwords were compromised. Therefor, asking users to change their passwords would have been FUD, as well as making it more difficult to identify which users were affected by the person exploiting the bug (if almost every user logs in during 4 hours, you're going to have a lot of trouble identifying the <100 accounts who were accessed by the attacker).