A programming error exposed the personal details of Facebook users to advertisers and other third parties, says IT services company Symantec.
However, the Symantec researchers say these third parties may not have realised they could mine personal data or access profiles, photographs, chat and messages.
"We have reported this issue to Facebook, which has taken corrective action," says Symantec's Nishant Doshi in a blog post.
Symantec discovered that, in certain cases, Facebook Iframe applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms.
"We estimate that, as of April 2011, close to 100,000 applications were enabling this leakage," wrote Nishant Doshi.
Symantec estimates that, over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
According to Doshi, access tokens are like 'spare keys' which applications can use to perform actions on behalf of the user or to access the user's profile.
"Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile or posting to your wall," says Doshi.
Users grant this type of access to Facebook applications so they can do things such as write on profile walls, but by handing over these tokens to others, application developers were accidentally giving advertisers or online analytics companies a way to get at this information too, says Symantec.
Facebook has now fixed the problem and the issue does not affect applications that use the newer OAUTH2.0 authentication system. But Nishant says it is difficult to estimate how many access tokens have been leaked since the release of Facebook applications in 2007, and many of these tokens might still be available in log files of third-party servers, or are still being actively used by advertisers.
Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens, Doshi says, because changing the password invalidates these tokens and is equivalent to "changing the lock" on your Facebook profile.