You expect that when you delete something from Instagram, it will be gone for good. But when security researcher Saugat Pokharel asked the photo-sharing app for a copy of images and direct messages, he was sent data he had deleted more than a year earlier, indicating that the information had never been fully removed from Instagram’s servers.
Instagram says this was due to a bug in its system that it’s fixed now, and Pokharel was rewarded with a $6,000 bug bounty to highlight the issue.
“The researcher mentioned a problem where a snapshot of their information would contain somebody’s deleted Instagram photos and messages if they used our Instagram Access Your Information Tool,” a spokesperson for Instagram told. “We resolved the problem and didn’t see any signs of wrongdoing. We thank the researcher for notifying us of this problem.
It’s not clear how widespread this issue was, and whether it affected all or just a subset of Instagram users, but it’s certainly not an uncommon issue. Whenever we uninstall data from online services, there is usually some undefined period until the data is fully deleted from the servers on the internet. The company says it typically takes about 90 days for Instagram to delete data entirely. In the past, however, security researchers found similar problems with other sites, including Twitter, which maintained direct messages among users for years after they were supposedly removed.
Also read: Uber And Lyft On Track To Leave California
The problem was only exposed in this case, because Pokharel had the option of downloading a copy of his Instagram info. This download tool was introduced by Facebook-owned Company in 2018 to comply with the EU data privacy GDPR.