According to a post on the official Symantec blog, employee Nishant Doshi states that third party advertisers have accidentally had access to Facebook users' accounts, which includes their personal information such as photos, chats and profiles.
He further adds, “Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.”
The report also says that there no proper way to estimate as to how many of these ’access tokens’ have been leaked since the release of Facebook Apps back in 2007. Users who are concerned about their privacy can change their Facebook passwords as they invalidate the leaked access tokens.