Facebook apps may have inadvertently leaked the personal data of millions of Facebook users to third parties such as advertisers, according to the Web security firm Symantec.

Among the information that could have been accessed is data from user profiles, pictures and Facebooks chats between users.

"Fortunately, these third parties may not have realized their ability to access this information," said Nishant Doshi, a Symantec spokesman in a company blog post. "We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue."

A Facebook spokeswoman said the Palo Alto company has updated its application programming interface (or API) to remove the weaknesses in its platform that Symantec discovered.

"We appreciate Symantec raising this issue and we worked with them to address it immediately," Facebook said in an emailed statement. "Unfortunately, their resulting report has a few inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties.

"In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies."

Symantec found that the data leaks took place in the mistaken giveaway of "access tokens" to third parties in as many as 100,000 different applications as of April, Doshi said.

"We estimate that over the years hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," he said. "Access tokens are like 'spare keys' granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user's profile. Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc."