The data consulting firm Cambridge Analytica, which harvested as many as 87 million Facebook users' personal data, also could have accessed the private inbox messages of some of those affected. Facebook slipped this previously undisclosed detail into the notifications that began appearing at the top of News Feeds on Monday. These alerts let users know whether they or their friends had downloaded a personality quiz app called This Is Your Digital Life, which would have caused their data to be collected and potentially passed on to Cambridge Analytica.

Facebook buried the disclosure in the details about what information was compromised: "A small number of people who logged into 'This Is Your Digital Life' also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you."

'The harvesting of personal Facebook messages wasn't disclosed, yet again, until the last second.' Jonathan Albright, Columbia University

A Facebook spokesperson confirmed that the app, which was designed by Cambridge University researcher Aleksandr Kogan to collect data on Americans on behalf of Cambridge Analytica’s British counterpart SCL, requested access to user inboxes through the read_mailbox permission. Unlike the collection of specific user friend information, which Facebook says it phased out in April 2015 unless both people had downloaded the same app, the read_mailbox permission didn't fully deprecate until that October.

Users had to agree to give apps access to their inboxes, but that request for highly personal information would be bundled up with a list of other more benign data points, including birthdays or profile pictures. It's possible some users approved this access, never knowing how much of themselves they were giving up, not just to Cambridge Analytica, but to every app that requested these permissions until 2015.

Facebook says that a total of 1,500 people granted This Is Your Digital Life permission, although the total number of people affected remains unknown. Anyone who messaged those 1,500 people—or received messages from those 1,500—on Facebook at the time would be potentially impacted.

Cambridge Analytica denies having accessed that specific data. "GSR did not share the content of any private messages with Cambridge Analytica or SCL Elections. Neither company has ever handled such data," a company spokesperson says.1

Still, the ambiguous last-minute detail Facebook offered to users about this deeply sensitive issue irked critics of Facebook's privacy policies. "The harvesting of personal Facebook messages wasn't disclosed, yet again, until the last second," says Jonathan Albright, research director at the Tow Center for Digital Journalism at Columbia University, who has tracked Facebook's recent missteps. "I suspect it'll be difficult to accurately reconcile the number of users affected due to the nature of [direct messages] and especially group messages."