"We estimate that as of April 2011, close to 100,000 applications were enabling this leakage," the security firm said in a blog.
"Over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."
According to the security firm, some Facebook IFRAME apps "leaked access tokens to third parties like advertisers or analytic platforms". Symantec said Access tokens were like "spare keys" that allowed apps to perform certain actions, such as posting on a wall or accessing photos or chat messages, on the user's behalf. However, third parties may not have realised they could access the information.
"By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren't logged in," Symantec said.
"There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."
Facebook confirmed the leakage, although said Symantec's report had a few inaccuracies.
"Specifically, we have conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorised third parties," Malorie Lucich from Facebook said.
The social network confirmed it has since removed the outdated API (Application Programming Interface) Symantec was referring to.
Syamntec advised users concerned about privacy to change their passwords to "to invalidate leaked access tokens".