Instagram stored deleted pictures, messages for over a year, reveals researcher

The researcher said that he had reported the bug to Instagram in October 2019 as part of its bug bounty program.


An independent security researcher has recently revealed that Instagram was not deleting the photos and messages that he had deleted from his end more than a year ago.

When Saugat Pokharel, the researcher downloaded his data from Instagram's tool, he found that the data included messages that he had sent to others and posts that he deleted a long time back. So viewing as well as downloading the data from the server was possible. The data download tool was launched by the firm in 2018 to help users restore lost data and to comply with new European data rules.

 Instagram stored deleted pictures, messages for over a year, reveals researcher

Representational Image.

Instagram users can access the ‘Data Download’ option by visiting a download request link or by going through the privacy settings in the app itself. Users can download images, videos, archived stories, profile, account information, comments and direct messages using the tool.

Saugat spoke to Tech Crunch about the issue and said he had reported the bug to Instagram in October 2019 as part of its bug bounty program. "Instagram didn’t delete my data even when I deleted them from my end".

Instagram has since then told the tech portal that they fixed the bug earlier this month. According to them, the researcher reported an issue where someone’s deleted Instagram images and messages were included in a copy of their information if they used Instagram’s Download Your Information tool. A spokesperson from Instagram added that they have fixed the issue and have seen no evidence of abuse. They further thanked the researcher for reporting it.

Tech Crunch also pointed out the similar problem users faced with Twitter last year. A security researcher had found that the microblogging platform was retaining old messages even after years of them being deleted. Also, messages from deleted or deactivated accounts were also stored on Twitter's servers.

According to the CEO of GajShield Infotech, a network security technology company, Sonit Jain, "Biometric privacy law needs to be strong and consumers well protected against any infringement of it. Sometimes collection of data is hidden in terms and conditions or privacy settings, they need to be simplified and any collection of data should be clearly highlighted. The settlement of facial recognition suit by Facebook, is a warning to all tech companies who collect highly personal information of consumers without their explicit opt-in and would desist them too from doing it.”


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.