In this case there might not be a GDPR violation. If the data is taken by compromised browsers, then the breach wouldn't exist within Facebook's control.
It's not clear to me from reading the GDPR whether companies are responsible for the loss of personal data outside of breaches in their security. E.g. is a successful phishing campaign against customers a data breach? If not at fault, do they have an obligation to alert customers specifically about the attack?
The fines are applied by the regulatory agency of the member state, so that depends on national jurisdiction, but it probably goes to the budget of that member state.
‘personal data breach’ means a breach of security leading to the accidental
or unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or otherwise processed;
Given the definition, I think it's a bit hard to argue this isn't a breach. It's a breach of security leading to unauthorised disclosure or personal data.
It's not clear to me from reading the GDPR whether companies are responsible for the loss of personal data outside of breaches in their security. E.g. is a successful phishing campaign against customers a data breach? If not at fault, do they have an obligation to alert customers specifically about the attack?