They , saying it may have affected nearly 100,000 Facebook applications for years now.

According to Symantec, certain Facebook applications have been inadvertently handing advertisers access tokens -- strings of numbers and letters that can be used by a browser to access Facebook accounts over the Web. "Access tokens are like the 'spare keys' granted by you to the Facebook applications," Symantec said in a blog post. "Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc."

Users habitually grant this type of access to Facebook applications so they can do things such as write on profile walls, but by handing over these tokens to others, application developers were accidentally giving advertisers or online analytics companies a way to get at this information too.

"We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of tokens to third parties," Symantec said. Facebook representatives could not immediately be reached for comment.

The tokens were leaked in referring URLs that Facebook applications passed on to advertisers and others. That shouldn't have happened.