"Value added" == "vulnerability added", once again.
Well, it's not so much DPI as it is plain ol'-fashioned proxying. Reading between the lines:
>"collaborated with Facebook to disable subscriber identification information as an option for automatic log-in.
>"For customers to access their Facebook account from AT&T wireless devices, Facebook now only will accept cookies placed by Facebook or full customer log-on information," AT&T said. "If the cookie isn't current, customers will be prompted to log in to their account"
... strongly implies that AT+T have some kind of partnering arrangement with FB, and they maintain some kind of trusted third-party FB authentication servers in their network, to provide a bit of "value-added" service to their customers by NATing, proxying and caching their login so that it can auto-login for them to save them having to type their email address and password so often. The sort of mix-up we've seen here could trivially easily occur in such a server if there was a bit of a race condition, or a non-atomic database, or for any of a multitude of other reasons related to the complexities of multi-threaded coding.
And the "fix" appears to have been for FB to decide to stop trusting AT+T's crappy servers. Good decision. They shouldn't have this kind of arrangement at all with anyone.