Prior to 2014, applications using the Facebook platform could download nearly everything posted by users, including photos, Likes, Interests, Groups and more – including from the friends of the person running the app – even items restricted to “Friends only” – and did so without permission of the Friends.
Everything ever posted on Facebook was “Public” to applications that requested access to “Friends” data.
An estimated 10+% of Facebook applications requested permission to access the data of Friends. Presumably most collected a limited set of personal data, but with 9 million applications in existence today, that would be 900,000 applications.
What could they get?

• Every post you ever made on your Timeline (including those that were to Friends and not Public)
• Every photo you posted online,
• A list of every Like you ever made on Facebook
• Every group you belonged to
• The Facebook determined list of “Interests” (determined by Group membership, Pages you Liked/Followed, and possibly text analysis)
• Your family relationships
• Your religion and politics

Here is Table 5 from a 2015 paper, cited below, capturing the Facebook API permissions in effect at the time. Applications could scrape any of the data listed in the “Friends Data” column, which is essentially everything as “friend.status” refers to timeline posts.

In 2014, Facebook rewrote this programming interface to restrict access to Friend’s data. Apps approved after that point were restricted – however, apps approved prior to that point could continue to run and continue to collect data.
Until last weekend, Facebook had a hidden privacy setting for Apps Others Use.The default settings for this page  had almost every item as share-able. I took this snapshot after I had cleared the settings; Facebook deleted this the next day.
When most every item was checked (and the default was checked) Apps run by your friends had access to all of your personal activity. This included everything you “Liked” on Facebook, plus all Interest and Group memberships – even apparently posts on your Timeline intended for Friends-only.

Consumer Reports noted that applications were sharing data for Friends – back in a 2012 online column (https://www.consumerreports.org/cro/magazine/2012/06/facebook-your-privacy/index.htm).
An estimated 10% of Facebook applications requested access to your “Friends”. Thus, it is highly likely everything we shared with Facebook, including items to “Friends” only was scraped, including Timeline posts, Photos, Likes and more and are now stored in non-Facebook, private, third-party databases.
It is likely that if applications could this, then major intelligence agencies also scraped this data.
Most apps would not have collected all of the possible data but just a limited subset. However, a combination of several apps, each collecting a subset, could merge their data together to ultimately collect everything about everyone.
News reports about the Cambridge Analytica beach now affecting 87 million (mostly) Americans are missing the story. It is likely that nearly all 2 billion Facebook users have had their data scraped, including what they thought was private information.
Why are you still using Facebook? Facebook is a dangerous platform that has operated for 14 years in a reckless manner.
Reference
Symeondiis, I., Tsormpatzoudi, P., and Preneel, B. (2015). Collateral damage of Facebook Apps: an enhanced privacy scoring model