Facebook users are being advised to change their passwords after it was discovered that "spare keys" to user accounts were accidentally leaked to advertisers.
The keys, called access tokens, allow third parties such as advertisers and web analytics companies to view user profiles and photographs, post messages and chat, reported the internet security company Symantec. It discovered that the tokens were being leaked through Facebook applications such as games and quizzes.
"We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers," wrote security technologist Nishant Doshi, on the official Symantec blog Tuesday.
Concerned users can "change the lock" on their account by changing their Facebook password, invalidating any leaked "keys," added Doshi, one of the two Symantec employees who found the leak.
Symantec reported the problem to Facebook and said the company has since made changes to prevent leakage.
Doshi estimated that millions of tokens had been leaked by more than 100,000 applications since 2007. That was when Facebook released a set of tools that allow developers to integrate their apps with Facebook.
"Fortunately," he wrote, the third parties who received the tokens may not have realized their ability to access users' personal information.
Facebook wrote on its developer blog Tuesday that it has been working with Symantec on identity issues and ensuring its authentication methods are more secure.