Instagram was caught saving photos and messages (DM) of users who have been deleted for more than a year. This is due to a gap that has now thankfully been fixed.
This breach was discovered by security researcher Saugat Pokharel when he downloaded a copy of his data on Instagram using the Download Your Information feature. This feature was launched by the Facebook subsidiary in 2018 to comply with new data protection regulations in the European Union.
In fact, it is common for businesses to store recently deleted data for a period of time until it is completely cleared from the network, system, and cache. Instagram’s own regulations say that they will completely erase data from the system within 90 days.
But Pokharel didn’t think that the photos and direct messages that he deleted more than a year ago were still stored on Instagram’s servers and could be downloaded with this feature.
“Instagram doesn’t delete my data even when I delete it myself,” Pokharel told TechCrunch.
Pokharel reported on this loophole in 2019 through Instagram’s bug bounty program. The gap was repaired earlier this month and Pokharel received a USD 6,000 incentive for her contribution.
“Investigators reported an issue where someone’s deleted Instagram photos and messages were included in a copy of their information if they used the Download Your Info on Instagram tool,” said an Instagram spokeswoman.
“We have fixed the problem and saw no evidence of abuse. We are grateful to the investigators for reporting this issue to us,” he continued.
This is not the first time that a social media company has been detected retaining deleted user data. In addition to Instagram, last year Twitter was also caught storing DMs from users who have been deleted for a long time, including DMs sent to and from users who are no longer active.