Facebook has started to help users figure out whether or not they’ve been affected by the Cambridge Analytica scandal, and detailed in the company’s notification is the fact that Facebook users may have also had their private messages leaked to Cambridge Analytica.

As pointed out by researcher Jonathan Albright, the vulnerability dates back to the first version of Facebook’s Graph API, which allowed apps to request massive amounts of users’ friends info with a single prompt. Once permission was granted, apps — like Cambridge Analytica — could continue to pull data for years until either the app was deleted or when Facebook finally killed the 1.0 version of the Graph API for a more limited 2.0 version in 2015.

Included in the data that those early Graph API apps could pull was the ability to read users’ private Facebook messages through a “read_mailbox” API request.

Facebook confirmed to Wired that a relatively small number of Facebook users gave access to Messenger — only 1,500 people gave the “This Is Your Digital Life” app permission to access the data, but anyone who messaged or received messages from those 1,500 people could also potentially be impacted.

Update April 10, 2:55pm: Cambridge Analytica has denied that it had access to private message data.