Skip to main content

Instagram kept deleted photos and PMs for a year; says bug fixed

A security researcher has found that Instagram kept deleted photos and private messages for more than a year after he deleted them. The company paid him $6,000 for the discovery …

TechCrunch reports.

Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.

It’s not uncommon for companies to store freshly deleted data for a time until it can be properly scrubbed from its networks, systems and caches. Instagram said it takes about 90 days for deleted data to be fully removed from its systems.

But Pokharel found that his ostensibly deleted data from more than a year ago was still stored on Instagram’s servers, and could be downloaded using the company’s data download tool.

Pokharel submitted it as a bug, and the company paid him $6k under its bug bounty. It says the bug has now been fixed.

This mirrors an experience with Twitter last year, where another researcher found that Twitter retained copies of direct messages ‘years’ after they’d been deleted by the user.

While there’s no reason to doubt either company’s explanation that this was a coding error rather than a deliberate privacy breach, it does highlight the need for transparency and user control around deletion policies, as well as a proper auditing process.

For example, when you delete a photos from your iPhone, Apple is transparent about the default process:

  • The photo is moved to the Deleted photos album
  • It is hidden from your main feed
  • It is permanently deleted after 30 days

You also have the ability to override the 30-day delay: if you go into the Deleted photos album and delete it from there, then it is immediately and permanently deleted.

Other apps and services could learn much from this approach.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear