According to an investigation by Symantec, innumerable Facebook applications have been leaking your personal data for years. The issue, just discovered by Symantec, has been reported to Zuckerberg and company, but advertising and stat tracking companies may have already had access all this time.
The issue stems from the use of older authentication schemes for Facebook apps. The site uses OAUTH2 now, but many applications still use older methods. When an app asks for permission to access user data, it is possible that the IFRAME app is making use of one of the deprecated APIs. That means the access tokens could be leaked to un known third-parties. This could happen if the app requests an external URL. The token will be sent to the server in question.
According to Symantec, Facebook has closed the loophole, but that doesn't mean you're in the clear. The access tokens give third parties the same access to your data as the application had. Unfortunately, many of these tokens could be stored in server logs at advertising or analytics companies. Changing your password will invalidate any leaked tokens, which we suggest you do.