Is this correct? Because all this time I was wondering about this scandal: apparently, this all started because someone had some app or website which got downloaded by a few hundred thousand FB users (who gave access to their info), and somehow they turned that into data of 50M users. And I also am well aware the current FB API doesn't allow you to get info about your friends if only you give permissions to an app. That this "breach" happened some time ago, when API permissions were different, would make a lot of sense to me.
Before 2015 Facebook apps could access the data of your friends if you gave it permission. Your friends didn't need to give explicit permission (though there were never-used settings to block access).
Some academic dude made a personality test app that harvested the data from all of the friends of people who used it. He paid lots of people (almost all American) on Amazon's Mechanical Turk to use it and harvested their data and the data of their friends.
He sold that data to Cambridge Analytica. This was in 2012 I think. Facebook removed that version of the Friends API in 2015 so this is no longer possible.
