Instagram kept deleted photos and DMs on its servers for over a year

Instagram logo on a Galaxy S10
Instagram logo on a Galaxy S10 (Image credit: Joe Maring / iMore)

What you need to know

  • A worrying bug was discovered on Instagram's servers.
  • Security researcher Saugat Pokharel discovered deleted Instagram photos and messages were kept by Instagram long after he deleted them.
  • He found data that had been stored for more than a year.

A security researcher discovered a now-fixed Instagram bug that meant removed photos and messages were kept for more than a year after they were deleted.

According to TechCrunch:

A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them.Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.

As the report notes, it isn't "uncommon" for companies to keep data that has been deleted for a time, whilst it is properly removed from its network. Indeed, Instagram said that its own process takes about 90 days to fully remove deleted data from its system. You can imagine Pokharel's surprise when he found that data he'd supposedly deleted from his Instagram was still available from Instagram's data download tool more than a year after it had been deleted:

"Instagram didn't delete my data even when I deleted them from my end," he told TechCrunch.

According to the report, the bug was reported in October of 2019, and fixed by Instagram last month. In a statement Instagram said:

"The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We've fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us."

Given the report, it's unclear how widespread the issue may have been, or how long it had gone on for prior to fixing. It seems there's every possibility other users could have been affected by the problem, and as such, Instagram may have kept user's photos and messages for a lot longer than previously thought.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9