Instagram kept deleted photos and DMs on its servers for over a year

A security researcher discovered a now-fixed Instagram bug that meant removed photos and messages were kept for more than a year after they were deleted.

According to TechCrunch:

A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them.

Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.

As the report notes, it isn't "uncommon" for companies to keep data that has been deleted for a time, whilst it is properly removed from its network. Indeed, Instagram said that its own process takes about 90 days to fully remove deleted data from its system. You can imagine Pokharel's surprise when he found that data he'd supposedly deleted from his Instagram was still available from Instagram's data download tool more than a year after it had been deleted:

"Instagram didn't delete my data even when I deleted them from my end," he told TechCrunch.

According to the report, the bug was reported in October of 2019, and fixed by Instagram last month. In a statement Instagram said:

"The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We've fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us."

Given the report, it's unclear how widespread the issue may have been, or how long it had gone on for prior to fixing. It seems there's every possibility other users could have been affected by the problem, and as such, Instagram may have kept user's photos and messages for a lot longer than previously thought.