"I was shocked to see that this data was publicly available to any third-party that requested it," said Inti De Ceukelaire, the Belgian security researcher who discovered the data leak.
"It would only take one visit to our website to gain access to someone's personal information for up to two months," he wrote in his blog post. "I would imagine you wouldn't want any website to know who you are, let alone steal your information or photos."
De Ceukelaire reported the problem to the Facebook in April through the company's new bug bounty program, which was introduced in response to the Cambridge Analytica scandal.
"This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems," Facebook said in a post about the flaw, which the company helped to fix.
"To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it," Facebook added.
The developers behind Nametests.com, Social Sweethearts, said it's also found no evidence that bad actors ever abused the flaw.
However, De Ceukelaire said the whole incident raises serious questions over how Social Sweethearts are handling the data of its users. He also noted that it took Facebook over two months before it finished its investigation and finally patched the flaw. During that time the quiz apps from Nametests.com were still up and running.
"I am glad both Facebook and NameTests cooperated and resolved the issue," he said in his blog post. "On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better."
To protect yourself, De Ceukelaire recommends that you delete any apps from Facebook that you're no longer using.