Skip to main content

Instagram kept pictures and private DMs long after users deleted them

Instagram’s delete buttons may not have functioned as you intended them to in the last year. Independent security researcher Saugat Pokharel discovered that Instagram (via TechCrunch) kept copies of deleted pictures and private direct messages on its servers, even after someone removed them from their account.

Last year, when Pokharel downloaded an archive of his Instagram account’s data, he found that the file also contained images and messages he had deleted more than a year earlier — suggesting that while these pictures weren’t visible on his profile, they were still present on Instagram parent Facebook’s servers.

In a statement, Instagram told Digital Trends that the issue was patched in November 2019, shortly after Pokharel reported it and it has “seen no evidence of abuse.” “The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram,” added an Instagram spokesperson.

Oddly enough, in the statement, Instagram doesn’t address whether it has now gotten rid of its users’ old pictures and messages. It simply says that their presence in Pokharel’s archive was an accident. We’ve reached out to Instagram for more information and we’ll update the story when we hear back.

It’s important to note that, similar to Facebook, Instagram takes up to 90 days to clear your data from its servers after you’ve pressed the delete button. However, in one of its data policies, Facebook says “copies of your information may remain after the 90 days in backup storage that we use to recover in the event of a disaster, software error, or other data loss event. We may also keep your information for things like legal issues, terms violations, or harm prevention efforts.”

Facebook awarded Pokharel a sum of $6,000 after he reported the incident through the company’s bug bounty program, an initiative that rewards researchers for unearthing security bugs that Facebook’s team may have missed.

This isn’t the first time a social network has retained its users’ deleted data. A year ago, another security researcher, through Twitter’s data download tool, discovered that it kept direct messages users had deleted on its servers for years.

Editors' Recommendations