You clearly aren't informed of the issue.
The issue, such as people complain of, is that facebook was supposed to notify the user if their data was accessed by a 3rd party. The facebook rules were easy to exploit though, and an account claiming to be a poli-sci data study was allowed access to user data. They then violated the facebook rules and sold the data to Cambridge Anly. Facebook found out about the breach and sent a cease and desist letter, but did little else, and didn't warn the user.
Regardless, the harm would have been the "oh no, they steered a politically motivated add on my facebook page." As a light facebook user (like, once a month check to see if i missed someone's birthday), it's hard to get worked up over.
But still, facebook is the looser here, because that part of 3rd party shared content should be disclosed to the user when a breach, which be definition of the user agreement, and was outside of the terms of said agreement.
So just tell the user. Facebook sucks.