One way your data can escape is through Facebook games and apps. Whenever you run one, it gets your public information, such as your name, gender, and profile photo, as well as your list of friends even if you haven’t made that list public. And if you give the app certain permissions, it can peer deeper into your data and even see information that your friends share with you, unless they have specifically forbidden sharing with apps in their own privacy settings.

Source: Facebook Privacy – Consumer Reports
I was never even aware of a separate and well hidden apps privacy setting. Per the default settings in Facebook, which they hid this weekend – your friend’s apps could see essentially everything of yours.
I saved a copy of the screen before Facebook deleted it, to hide the evidence:
This snap shot was taken after I had cleared the default settings. My memory is that virtually all items on the list were being shared with apps.

Yes, 10% of apps that Friends were using could have read all of these items, including our posts. This, like most of these posts, is also filed in the Crime category.