Facebook's already-hurting reputation for privacy took another hit Wednesday when the Internet's biggest hangout had to disable its live chat facility for a few hours because a security flaw allowed users to spy on their friends' personal information. With just a few clicks users could exploit the site's privacy features – which actually are intended to protect users – to spy on friends' personal chat messages and see pending 'friend' and other requests. (Thinking about a social media policy for your employees? Click here.)

The security breach worked via an option in the privacy settings that lets people preview their profiles as they would appear to friends. TechCrunch first reported the breach, saying it had been tipped off by a user. (You can also watch a video of the exploit at TechCrunch.)

Facebook said in a statement: "For a limited period of time, a bug permitted some users' chat messages and pending friend requests to be made visible to their friends by manipulating the 'preview my profile' feature of Facebook privacy settings." It added: "When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete." The security gaffe does little to ease pressure on the fast-growing site to mend its ways.

Two months ago the site was hit by five security problems in a single week. And last month, a new feature that allows users to give a public thumbs up to information they 'Like' on the Web drew criticism from both lawmakers and privacy watchdogs. Senator Charles Schumer, the New York Democrat, last week called on the Federal Trade Commission to create privacy guidelines for social networking sites such as Facebook and Twitter.

The news of Facebook's latest security glitch comes as a Consumer Reports survey suggests that almost a quarter of the site's users aren't even trying to protect their data.  The study found that 23 percent of users were either unaware of the site's privacy protection offerings – or had chosen to disable the protections. What's more, users were engaging in risky behavior online – behavior that could leave them (and possibly the companies they work for) vulnerable to hackers and worse. More than two in five users (42 percent) confessed they'd left their full date of birth visible to others, while just over a quarter (26 percent) of adult users had posted the full names of their children, complete with photos and descriptions. Seven percent posted their full street address, and three percent revealed when they were away from home.