[kbelder]

Not OP, but somewhere around 2010 I tinkered with creating a game for Facebook. I signed up for a developer account, spent some time with the docs and built a toy app.

It was a straightforward call to get info about the user, including name, email, interests, etc. Their friends list. Info about all their friends, including all the same details. And so on.

There was a EULA where the developer had to promise to delete all the info when the user signed out of the game, and not to share the info. That was the only security.

The project fizzled, but when the Cambridge Analytica news broke, it confused me, because my recollection is EVERYBODY had all those lists of user info. Seriously, tens of thousands of different companies, with the only thing stopping them was a pinky promise.

[snowwrestler]

This is all true, but to get that data you had to run an app on Facebook. To my recollection, you could not grab this level of data with a Facebook JavaScript tag on 3rd party websites. Facebook offered this data on-platform to convince organizations to drive their audiences to Facebook.com instead of their own site.