Security researchers discovered that Facebook leaked user access tokens to advertisers, exposing their chat, photos and profiles. Facebook says there's no evidence any such data was used, but the security guys suggest changing your password, and you should probably listen.

Researchers at security software firm Symantec discovered a bug in the process by which some Facebook applications obtain ask permission to access your data. After you approve an application, it seems, the access code intended only for the application can be exposed to advertisers, analytics companies and other third parties embedded on the application's own pages. These tokens, which have been given out in an insecure manner in up to 1000,000 applications since 2007 (!), can provide access to your Facebook data until you change your password, which is why Symantec says "concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens."

Facebook, for its part, told Symantec it has fixed the bug and told the LA Times, "we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties." But better safe than sorry. After all, can you imagine how embarrassing it would be if someone found out you use Facebook Chat?? So mortifying.

[Image: Daniel Nguyen/Flickr]