Symantec announced that it has discovered a flaw in the way some Facebook applications are authorised, enabling those apps to have backdoor access to user accounts via 'access tokens'.
Symantec said on it's blog today, "third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information."
The net security firm said it has notified Facebook of the issue, which has acted undertaken corrective action.
It is estimated that around 100,000 applications were enabling the leakage and that, over the years, millions of access tokens may have been leaked to third parties.
Even with Facebook's authorisation upgrades to correct this situation, old access tokens may remain valid. Symantec recommends changing your password to automatically invalidate all prior access tokens.
Facebook has released a roadmap for developers to move their apps to the more secure OAuth 2.0.