Facebook confirmed to Wired that the app used a read_mailbox permission, which, unlike other sensitive permissions that Facebook phased out in April of 2015, didn't fully deprecate until October of that same year.

Wired reports that while users would have needed to give their permission for the app (and hence Cambridge Analytica) to access their message inboxes, the request would have likely been hidden in with a bunch of other permission requests, which users may have missed when "agreeing" to share their data. Facebook says that a total of 1,500 people gave This Is Your Digital Life permission, though the total of actual users affected is unknown. The problem goes beyond those that granted permission to share; if you in some way messaged with any of those users, you might be also impacted.

Update 4/10/18 2:26 PM ET: Cambridge Analytica tweeted that it hasn't "handled such data" and that GSR (Global Science Research, the research company that obtained data for CA) did not share any private messages with it or SCL Elections.

GSR did not share the content of any private messages with Cambridge Analytica or SCL Elections. Neither company has ever handled such data. — Cambridge Analytica (@CamAnalytica) April 10, 2018

A Facebook spokesperson reached out and told us: