Facebook confirmed to Wired that the app used a read_mailbox permission, which, unlike other sensitive permissions that Facebook phased out in April of 2015, didn't fully deprecate until October of that same year.
Wired reports that while users would have needed to give their permission for the app (and hence Cambridge Analytica) to access their message inboxes, the request would have likely been hidden in with a bunch of other permission requests, which users may have missed when "agreeing" to share their data. Facebook says that a total of 1,500 people gave This Is Your Digital Life permission, though the total of actual users affected is unknown. The problem goes beyond those that granted permission to share; if you in some way messaged with any of those users, you might be also impacted.
Update 4/10/18 2:26 PM ET: Cambridge Analytica tweeted that it hasn't "handled such data" and that GSR (Global Science Research, the research company that obtained data for CA) did not share any private messages with it or SCL Elections.
A Facebook spokesperson reached out and told us:
"In 2014, Facebook's platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen. At the time when people provided access to their mailboxes -- when Facebook messages were more of an inbox and less of a real-time messaging service - this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place. According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015."