Two security researchers have documented a serious and long-standing design flaw in Facebook:
Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.
[…]
There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock†on your Facebook profile.
I’ll let you guess why “there is no good way to estimate” unauthorised access at Facebook.
Most popular facebook applications leaks user information to third parties. Be careful