Instagram has been storing users deleted data

One security researcher gained $6000 for reporting the bug, which has now been fixed

Last Updated on

Where does your data go once it’s been deleted? Is there such a thing as permanent deletion online? It’s the internet-age old question that often leaves users perplexed. For one Instagram user, the answer was simple: nowhere, and no. 

When he requested to download all of his data from the Facebook-owned photo sharing app security researcher, Saugat Pokharel, was awarded $6000 for finding that Instagram had kept hold of his photos and direct messages over a year after they’d been deleted, reports TechCrunch.

Pokharel found that this was the case and reported the issue to Instagram through the app’s bug bounty programme in October 2019. The bug was subsequently fixed last month. 

A spokesperson for Instagram told TechCrunch: “The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”

It’s unclear how long the bug was active and how many accounts it affected. Instagram usually takes 90 days to permanently delete information for their servers, so it is strange that Pokharel was able to access data from over a year ago. 

The Download Your Information tool was implemented in 2018 following new European data rules. According to The Verge, “GDPR mandates that EU citizens have a ‘right of access’ to their data, allowing them to request a copy of all the information a company stores on them within a reasonable amount of time”. 

The bug was almost identical to that of Twitter’s in 2019, which saw users able to access data they’d deleted years prior, including direct messages from deactivated and suspended accounts.