[fauigerzigerk]

I don't think it's so clear. Two things happened:

(a) Users were duped into giving up their data under a false pretense. This alone cannot be called a breach.

Also, one of the following occurred:

(b.1) Facebook was duped into letting a fraudster install an app on their platform. If this happened, it was a breach.

or

(b.2) Facebook knew all along that the academic research was only a cover for duping users into giving up their data. If this happened then it was not a breach, because Facebook themselves effectively sold the data.

So what Facebook appears to be saying is: There was no breach. We sold the data!

[Edit] Judging by what this man says, it was probably b.2: https://www.theguardian.com/news/2018/mar/20/facebook-data-c...

My conclusion is that there was no breach.

[danso]

A small point, but one that FB uses in its defense: it does not charge for API usage

[fauigerzigerk]

Because they know that apps make money through Facebook ads and they do charge for those. If Facebook knew about the true purpose of this sort of app, then they also knew that they were going to make a lot of money off of it.