Facebook has confirmed that private messages were included in data involved in the Cambridge Analytica scandal.
The social network said that about 0.5% of the 305,000 people who installed a personal data-harvesting app had given permission for it to access their Facebook inboxes.
However, many more would have been affected as the haul would have included conversations with others.
It is not clear whether the messages were given to Cambridge Analytica.
The political consultancy has yet to comment on the latest development.
"Prior to 2015, Facebook's platform policy allowed developers to request permission to access inbox content but only if the person explicitly gave consent for this to happen," a spokeswoman for the US tech firm told the BBC.
"According to our records, only a very small number of people - approximately 1,500 - explicitly opted into sharing this information with Kogan's app. The feature was turned off in 2015."
On Monday, Cambridge Analytica issued a fresh statement, restating that it had licensed "legally obtained" data from Global Science Research director Aleksandr Kogan, adding that "hundreds of data firms have utilised Facebook data in a similar fashion".
The latest revelation emerged after Facebook began sending notices to users it had indentified as being among the 87 million people whose data had been potentially shared with Cambridge Analytica.
That figure includes both those who took Mr Kogan's test as well as their friends, whose personal records the app also had access to. Cambridge Analytica has said it only obtained data on about 30 million US citizens.
Facebook's alerts included the warning: "A small number of people who logged into This Is Your Digital Life also shared their own... messages from you."
Carole Cadwalladr - the Observer journalist whose investigation helped plunge Facebook into the current crisis - was among the first to pick up on the implication.
This is new & important. @chrisinsilico said that he had seen a table produced by Kogan that included private messages. But we had to be circumspect about this. Now confirmed by @facebook. https://t.co/nE18OfgqG0— Carole Cadwalladr (@carolecadwalla) April 10, 2018
The BBC understands that Facebook does not believe that any of the 1,500 users involved had also given access to their SMS texts, despite the fact that there used to be ways to group all one's messages together in one place.
The latest revelation came hours before Facebook's chief executive Mark Zuckerberg was due to testify before the US Senate Commerce and Judiciary committees in Washington.
He is also due to be questioned by the House Congressional Testimony on Wednesday.
Ahead of his appearance, Facebook announced it would begin paying bounties to those who reported misuses of members' data by app developers.
"This programme will reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people's data to another party to be sold, stolen or used for scams or political influence," it said.
Just spoke to Facebook about its new data abuse bounty programme:— Dave Lee (@DaveLeeBBC) April 10, 2018
- There's no upper limit, though expect "big" revelations to get around $40,000, as per bug bounty programme
- Recipients of the bounty are free to go to the press once it is resolved