Facebook just began notifying people if their information was accessed by Cambridge Analytica yesterday. Soon after, the social media company created a Help Center page that you can check to see if you were one of the affected members who logged into quiz app This Is Your Digital Life. Apparently, doing so not only shared your News Feed, timeline and posts, but also your private messages.
Facebook confirmed to Wired that the app used a read_mailbox permission, which, unlike other sensitive permissions that Facebook phased out in April of 2015, didn't fully deprecate until October of that same year.
Wired reports that while users would have needed to give their permission for the app (and hence Cambridge Analytica) to access their message inboxes, the request would have likely been hidden in with a bunch of other permission requests, which users may have missed when "agreeing" to share their data. Facebook says that a total of 1,500 people gave This Is Your Digital Life permission, though the total of actual users affected is unknown. The problem goes beyond those that granted permission to share; if you in some way messaged with any of those users, you might be also impacted.
Update 4/10/18 2:26 PM ET: Cambridge Analytica tweeted that it hasn't "handled such data" and that GSR (Global Science Research, the research company that obtained data for CA) did not share any private messages with it or SCL Elections.
GSR did not share the content of any private messages with Cambridge Analytica or SCL Elections. Neither company has ever handled such data.— Cambridge Analytica (@CamAnalytica) April 10, 2018
A Facebook spokesperson reached out and told us:
"In 2014, Facebook's platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen. At the time when people provided access to their mailboxes -- when Facebook messages were more of an inbox and less of a real-time messaging service - this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place. According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015."