It would be a surprise if Symantec made such remarks if they weren't accurate. Facebook hasn't exactly shown much interest in their customers before (other than to squeeze them) and leaking personal data is rarely even noticed by the law or politicians. It's almost a standard business practice thanks to blissful ignorance by Congress. Reuters:
Third-parties would have had access to personal information such as profiles, photographs and chat, and could have had the ability to post messages, the security software maker said.
"We estimate that as of April 2011, close to 100,000 applications were enabling this leakage," the blog post said.
" ... Over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," posing a security threat, the blog post said.
