Huge Facebook Security Flaw Uncovered 100K apps leaked 'spare key' to advertisers ... for years By Rob Quinn, Newser Staff Posted May 11, 2011 1:14 AM CDT Updated May 11, 2011 7:59 AM CDT 12 comments Comments Facebook accidentally leaked millions of user access tokens, Symantec says. (Getty Images) (Newser) – A major security flaw left the accounts of Facebook users exposed for years before it was fixed, security firm Symantec says. Around 100,000 Facebook applications accidentally shared users' access tokens—described as a "spare key" to the account that allow the apps to do things like post info to a user's wall—with advertisers and other third parties, the Wall Street Journal reports. Facebook says it took care of the problem after Symantec told the company about it last month. Holders of access tokens would have been able to mine personal information and access a user's friends' profiles, although there is no evidence that the third parties did so or were even aware that they were able to. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers," Symantec analysts wrote in a blog post, urging concerned Facebook users to invalidate the leaked access tokens by changing their passwords.