Cambridge Analytics is a data portability exploit. It leveraged your friend's ability to send your Facebook data to third party apps. GDPR enforces more data portability, which in some sense allows for a larger attack surface for such exploits. The article mentions one example of hackers extracting all your personal data after a takeover of your account.