their are a mryiad of apps on facebook that when you sign up /accept you are allowing personnal info to be shared and it is not illegal because the user is agreeing allow this however from time to time rogue apps do slip through the system.
This may be the case in this instance it may be that your nieces machine has been infected by a virus/malware i would tell her to run a scan antivirus/ malware on her machine asap.
Also never reply or attempt to reply to spam as this may alert the spammers that your email adress is active and the likley hood is you will recieve a lot more.
As you have tried to reply i would also suggest running an antivirus /malware scan on your own machine to be on the safe side
hope this is of some help D