It's being claimed that some of the most popular applications on Facebook have been transmitting information identifying users.
The apps sent details to dozens of advertisers and companies that track what people are doing online.
Facebook's already reacted to the revelation in the Wall Street Journal in the US.
The company said that it would introduce new technology to limit the security breach.
Facebook developer Mike Vernal blogged: " We take user privacy seriously. We are dedicated to protecting private user data."
He added that in many cases the passing on of user IDs by apps is not deliberate, saying:
"In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work."
But it's not clear how long personal identifying information was being passed on for.
One data gathering firm, Rapleaf, was found to be passing on user ID information from apps.
But it has already changed its systems saying in a statement that:
"As of last week, no Facebook IDs are being transmitted to ad networks in conjunction with the use of any Rapleaf service."
Most Facebook apps are the work of independent software companies, not Facebook itself.
The newspaper says the security breach even includes users who set all their information to be completely private.