A security oversight on Facebook's part has potentially granted the access of millions of user accounts to third parties like advertisers and analytic platforms.
Specifically, the problem came from Facebook applications that are granted access to an account by the user. The application then has an access token that are like a set of spare keys into a Facebook account.
The token can grant access to wall posts, photographs, and most other areas of a profile. Symantec estimates that close to 100,000 applications were inadvertently allowing the access tokens to be leaked out to third parties.
Most access tokens have an expiry point, but some can request for offline access that allows it to operate until the user changes his or her password. Facebook says that it has already changed its system so that this sort of token leakage isn't possible anymore, but tokens already leaked still work.
It's another "oops" on Facebook's privacy record, but users can at least put a halt to further access by changing their password.
Read more at Symantec's blog.