According to Symantec, Facebook applications leaked keys for accessing profiles.
Nishant Doshi of Symantec said that the keys were leaked to third-party applications including advertisers and analytics platforms.
Fortunately, the advertisers did not quite realise what they had been given - otherwise they could have posted messages or mined personal information from profiles.
Writing in his bog, Doshi said that Facebook had taken action to fix the problem.
However, he estimates that as of April, nearly 100,000 applications were giving away keys to Facebook profiles.
Over the years, "hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," Doshi said.
He warned that whatever fix Facebook has put in place, token data may still be stored in files on third-party computers.
Doshi said that Facebook users should change their Facebook passwords to invalidate leaked access tokens.
"Changing the password invalidates these tokens and is equivalent to 'changing the lock' on your Facebook profile."