From The New York Times:
Facebook allowed Microsoft's Bing search engine to see the names of virtually all Facebook users' friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users' private messages.
The social network permitted Amazon to obtain users' names and contact information through their friends, and it let Yahoo view streams of friends' posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.
Facebook has done its usual denial + deflection, responding to the private message part in a Newsroom post:
In the past day, we've been accused of disclosing people's private messages to partners without their knowledge. That's not true – and we wanted to provide more facts about our messaging partnerships.
We worked closely with four partners to integrate messaging capabilities into their products so people could message their Facebook friends — but only if they chose to use Facebook Login. These experiences are common in our industry — think of being able to have Alexa read your email aloud or to read your email on Apple's Mail app.
It's hard to tell how accurate that is. Alexa reading your email might give Amazon access to it. Having Mail.app fetch and send your email doesn't give Apple any access to it.
The companies involved have also denied either knowing about the access, using it, misusing it, or some/all of the above.
Where Apple is concerned, the NYT provides this bit of word salad:
Facebook empowered Apple to hide from Facebook users all indicators that its devices were asking for data. Apple devices also had access to the contact numbers and calendar entries of people who had changed their account settings to disable all sharing, the records show.
Apple officials said they were not aware that Facebook had granted its devices any special access. They added that any shared data remained on the devices and was not available to anyone other than the users.
You could basically log into Facebook and then have iOS pull contact and calendar information for anyone in your friends list. Facebook would also update that information as it changed.
Apple has API for all the common services like Calendar and Contacts so developers can make third party apps and you can keep your data consistent between them. All of that is implemented on the developers' side though, and all of this was implemented on Facebook's side (aside from the Settings sheets in iOS, which Apple surfaced.)
But that data went from Facebook to your local Apple device, not to Apple Inc. When iCloud was released, all your contacts and calendars could be synced to it, but Apple's model for that kind of sync was device-first, not cloud-first like Google and other internet providers.
In other words, what the NYT wrote is hard to parse and probably as confusing for Apple as for anyone. But, it's hard to see how anyone's personal data could have gone to Apple using this set up, and Apple has no business interest or use for getting that information anyway.
Facebook has had over 20 concerning incidents this year alone, so vigilance is good. And having copies of you Facebook data on other companies' servers just increases the surface area for mistakes and misuse/abuse.
So, we definitely need to find out more about who had what, for how long, and what happened to it during that period. And, yeah, delete Facebook.