Kickstarter requests access to "your public profile, friend list, email address, hometown, current city and likes" from Facebook on logon. With stolen access tokens the attackers could query Facebook for that information with limitations:

1) only available until the tokes were revoked

2) if enabled, attacker must also obtain the 'app secret' and sign requests

3) if enabled, attacker must use the tokens from a white-listed IP address

The post only makes reference to encrypted passwords. Not sure if Facebook access tokens are included in that or not.

Does that mean that Facebook will revoke them, or are they useless to an attacker?

It means the tokens are no longer valid. It's as if the user has disconnected the Kickstarter app from their Facebook account. To log in with Facebook again, they have to reconnect, thus generating a new token.