The data consulting firm Cambridge Analytica, which harvested as many as 87 million Facebook users' personal data, also could have accessed the private inbox messages of some of those affected. Facebook slipped this previously undisclosed detail into the notifications that began appearing at the top of News Feeds on Monday. These alerts let users know whether they or their friends had downloaded a personality quiz app called This Is Your Digital Life, which would have caused their data to be collected and potentially passed on to Cambridge Analytica.
Facebook buried the disclosure in the details about what information was compromised: "A small number of people who logged into 'This Is Your Digital Life' also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you."
A Facebook spokesperson confirmed that the app, which was designed by Cambridge University researcher Aleksandr Kogan to collect data on Americans on behalf of Cambridge Analytica’s British counterpart SCL, requested access to user inboxes through the read_mailbox permission. Unlike the collection of specific user friend information, which Facebook says it phased out in April 2015 unless both people had downloaded the same app, the read_mailbox permission didn't fully deprecate until that October.