Facebook's Fault
If facebook would actually sit up and take notice this would not be such an issue. They don't seem to be taking any direct action, I haven't seen any notices/ alerts of pop up's from them notifying users that this is a scam.
This if I remember correctly was the same issue with RockYou.com fiasco, Facebook didn't at any point come out and say oh by the way you have a RockYou app on your account, RockYou had a breach and so you might want to change your passwords.
This is FAIL FAIL FAIL, its as is the RockYou fiasco has been pushed under the carpet, I do wonder how many people are still in the dark.