SAN JOSE, Calif. — Four out of 10 users of Web site Facebook unwittingly expose themselves to the risk of identify theft and virus attacks, according to a new study that underscores growing concerns among security experts about online social networking.

Sophos, a Boston-based Internet security company that set up a fictional account on the Palo Alto, Calif.-based site, reported that in a random survey of Facebook users, 41 percent divulged personal information, such as phone numbers, birth dates and e-mail addresses, that could be viewed by strangers.

A Sophos fake user, "Freddi Staur," invited 200 Facebook users to be an online friend. Eighty-seven accepted the invitation, and of those, 82 "leaked" personal information.

Sophos said Facebook's privacy features "go far beyond" those of competing social networking sites. And in a statement, a Facebook representative said, "Facebook has long deployed technology that limits the availability of personal information and welcomes every opportunity to educate users about how to protect their data online."

Facebook users are not the only Internet social-networkers to face dangers in this new era of instant information-swapping. In January, News Corp. and its MySpace social-networking site were sued by four families who said their underage daughters were sexually abused by adults they met on the site.

Furthermore, security experts have began sounding alarms about a new generation of thieves trolling the Internet, from social-networking pages to sites devoted to rental units and real estate, looking for personal information they can use in a scam.

Sophos said it decided to look at Facebook, which has some 31 million users, because the company requests some personal details before giving someone a new account, said Ron O'Brien, senior security analyst with Sophos. Facebook then allows users to cloak that information, though many don't.

"The only way to avoid that is to go to the security setting on your profile and set it so it can only be seen by a limited number of people," said O'Brien.

Eighty-four percent of respondents to the Sophos "user" listed complete birth dates, 78 percent divulged their address or location, 72 percent listed at least one e-mail address, 87 percent provided details about their education or workplace. Twenty-three percent gave their phone number, while 26 percent provided an instant message name.

Such personal information can be used for targeted scams. For instance, online scammers can send an e-mail birthday card embedded with a link to a Web site that can unleash a malicious virus, O'Brien explained.

"When you provide information about yourself, you are giving a bad person the opportunity to exploit your identity," O'Brien said.

The problem is that young people often view their Web pages much like their bedrooms — they think only those they invite in can see what they are doing. But without privacy settings turned on, they are exposing themselves to virtually anyone online, O'Brien said.