Facebook has taken action to fix a security flaw that led to the personal data of millions of users being made available to third-party applications and advertisers for years.

Internet security company Symantec discovered the flaw, which it says exposed data including photos, user profiles, chat logs and more. It adds that the third-party apps also had the ability to post messages and retrieve users’ personal information from their accounts.

The security flaw was estimated to have affected hundreds of thousands of apps and Symantec says that it was accidental. Facebook says that users install 20 million applications on the social network each day, so the scale of this security leak is enormous.

In some cases, these apps shared user access tokens with advertisers and analytics companies. The tokens act much like a spare set of keys that apps use to carry out certain actions on the user’s behalf, such as posting to the user’s Wall, sending RSVP replies to Event invitations and accessing a friend’s profile.

Nishant Doshi, a senior software engineer at Symantec, wrote that:

Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked. We estimate that as of April 2011 close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

In a statement, Facebook says that, “We have no evidence of this information being used in a way that violated our policies, but nonetheless, we take any potential issue seriously and quickly took steps to prevent this from happening with apps on Facebook.”

While it is entirely possible that the developers of the apps did not realize they were able to access users’ data, there is no way to know for sure how many access tokens have been leaked since support for third-party applications was enabled in 2007.

While Facebook has taken steps to fix the leak, it is recommended that you should change your Facebook password to render any leaked tokens useless — think of it as changing the lock on your door after someone else lost your keys.

[Image Credit: flickr, andilicious]