Note that I'm not saying that any of this is ok just because there was no illegality.
Some sketchy apps harvested this data (which was against Facebook's terms and conditions for those apps). So the apps may have broken the law. I guess there is the question "should Facebook have protected the data better" but I doubt they broke the law exactly.
Anyway the stupid thing about this is that it was obvious that's what all these sketchy apps were doing at the time. Facebook app developers knew they could get this data, and the only thing stopping its exploitation was Facebook's app T&C's - i.e. "please don't do bad things".
There was even a setting to prevent third party apps accessing your data when given permission by friends. That's how obvious this issue was. (I doubt anyone used this option).
Facebook removed the friends API in 2014 so this is all about historical data "breaches".