Last week it was a hacker attack at Sony that left the personal data of 100 million customers exposed, today it’s an accidental leak at Facebook that may have given third parties, in particular advertisers, access to user profiles.

IT security firm Symantec discovered that in certain cases, Facebook applications inadvertently leaked so-called “access tokens† to these third parties, potentially enabling them to access user profiles, photographs and chat.

Some 20 million Facebook applications are installed every day, apparently.

According to a post on Symantec’s official blog:

We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.†

Symantec says it has reported the issue to Facebook, who has taken corrective action to help eliminate the issue.

Symantec goes on to advise concerned Facebook users to change their passwords to invalidate leaked access tokens:

Changing the password invalidates these tokens and is equivalent to “changing the lock† on your Facebook profile.†

In a recent post  on the Epsilon data breach,  we reported  that the average organizational cost of a data breach increased to $7.2 million in 2010 and cost companies an average of $214 per compromised record up from $204 in 2009, per a study by Symantec and the Ponemon Institute.

Read more on the Sony data breach in a New York Times article by Ron Lieber.

Check out coverage-related info and I.I.I. tips for avoiding ID theft.