Hey guys - I work on the Dev Relations team at Facebook. We appreciate Symantec raising this issue and we worked with them to address it immediately as the article mentioned. Unfortunately, their resulting report has some inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies. Lastly, the change we announced today on our developer blog (https://developers.facebook.com/blog/post/497) removes the outdated API referred to in Symantec's report.