About 100,000 legacy FB apps have leaked millions of user access tokens sincd 2007. This data enabled mining of personal user information including profiles, photographs and chat, even if this info was to be protected by privacy settings.
Facebook apps effectively pushed these user access tokens to advertisers as they became part of the HTTP request for the advertisers external resources displayed in an IFRAME. These tokens are still in the open and allow advertisers and other third parties to access your FB data.
Every FB user is advised the change their passwords to invalidate the token.
This may or may not have been accidental, but it gave advertisers a huge additional benefit in allowing the mining of the data of users viewing their ads.
And this data crucial in the coming paradigm shift towards Real Time Bidding in online advertising. As The Economist put it in a recent article:
[…] content is no longer king online. Information about users is what really matters.