They didn't have all the data Facebook has though, just the data people explicitly granted them via the ACLs. That includes data they had access to view, but that's ok as it's the nature of social networking and communication. Once you send someone information, they can do with it as they please including share it with 3rd parties (unless you have some sort of contract saying that's forbidden).