IMAO Facebook IS a data breach where people voluntarily comply to, not just some vulnerabilities. Login with Facebook is a pretty stupid thing to do anyway, happily giving away even more data.. Cannot think of 1 valid reason to do that except for being too lazy to generate a new password.
That's the whole point of OpenID. One account with one credentials, multiple profiles on multiple sites. Lazyness is good. Much better than creating n acoounts on multiple sites using the same passwords, getting the weakest site to be compromised silently and hackers streaming back to your other accounts from that one. I'd rather trust fb.com 2fa security team over joeschmoe.com's one.
I've used facebook/google logins for some small projects in the past. In theory it should be easy. The user doesn't need to remember their username let alone a password, or even if they made an account already. They can just click to log in.
There were two main issues. The first is that people don't trust facebook or google even if they already were signed into their services. They didn't want to give them any more information.
The second was that it was a huge pain to maintain and test. Facebook and google changed how the services worked semi-regularly and it was not trivial to find their documentation on how to update everything (and during that time nobody could log into your service).
It should have been easy, but it wasn't and it was not worth it.
