Instagram was caught keeping deleted messages and photos on its servers for as long as a year, as found by a security researcher. The security researcher was paid $6,000 for his findings as a bug bounty payout by Instagram.
As noted by TechCrunch, the security flaw was found when Saugat Pokharel, an independent security researcher, download his data from Instagram. He noticed that his data backup contained all private messages and photos that he had previously deleted from his Instagram account.
This turned out to be a bug. Once anyone deletes any image or data from Instagram, the company says that it can take up to 90 days for the deleted data to be fully removed from its servers. However, the content in question was deleted more than a year ago but it was still part of the download data back up for Saugat Pokharel.
Instagram was told about this issue in October 2019 through its bug bounty program. The issue was finally fixed this month, in August 2020, after almost 10 months.
The company gave a statement to TechCrunch on this matter:
“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”
Instagram is not the first social media company to have such an issue. Twitter had a similar issue last year where it was found that deleted direct messages were still on the company's servers and were part of download data backups from the service. The company since fixed the issue but it does raise the concern - should you ever have any important conversations in your social media app's direct messages? Or should you rely on services with end-to-end encryption like WhatsApp, iMessage, or Telegram?