According to Instagram, data deleted from its platform takes 90 days to be completely removed from Instagram’s systems. Turns out that was not the case.
Independent security researcher Saugat Pokharel found that Instagram was keeping copies of photos and private messages on its servers a year after it was deleted by users.
After downloading data via Instagram’s data download tool (launched in 2018 to comply with GDPR regulations), Pokharel told TechCrunch that “Instagram didn’t delete my data even when I deleted them from my end.”
What’s more, the bug, originally reported in October 2019, was only fixed earlier this month, taking almost a year to correct the issue. The Facebook-owned platform awarded Pohkarel $6,000 for finding the bug.
[Keep up with the latest in technology and security. Sign up for the ExpressVPN blog newsletter.]
While it’s not uncommon for companies to store freshly deleted data for a select time before permanently deleting it, this practice was hard to check before the GDPR was put in place.
It is not the first time we’ve heard of a company abusing its users’ data. Twitter had a similar issue where users could access deleted Direct Messages years later, not to mention Facebook’s opaque data collection and its use of Cambridge Analytica that cost the company a mere US $5 billion.
As data protection laws strengthen, it’s likely we’ll be seeing more cases of companies erring in their data storage practices. Looking for such bugs should be encouraged—finding and fixing vulnerabilities can only provide better security for the people who rely on these services everyday (we’ve just upgraded our own bug bounty program).
[Read more: What is GDPR?]
It’s also worth saying that if you want a secure messaging app that lets you delete your messages (or give them expiry dates), there are privacy-oriented alternatives available. It may be difficult to completely uncouple yourself from social media, but there are ways to reduce what these platforms know about you—consider privatizing some things, like your photos, and minimizing the personal information you put out in the wild.