Instagram wasn’t removing photos and direct messages from its servers

A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them.

Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.

It’s not uncommon for companies to store freshly deleted data for a time until it can be properly scrubbed from its networks, systems and caches. Instagram said it takes about 90 days for deleted data to be fully removed from its systems.

But Pokharel found that his ostensibly deleted data from more than a year ago was still stored on Instagram’s servers, and could be downloaded using the company’s data download tool.

“Instagram didn’t delete my data even when I deleted them from my end,” he told TechCrunch.

Pokharel reported the bug in October 2019 through Instagram’s bug bounty program. The bug was fixed earlier this month, he said.

A spokesperson for Instagram told TechCrunch: “The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”

It’s a near-identical issue that Twitter fixed last year, in which users could access long-deleted direct messages — including messages sent to and from suspended and deactivated accounts — using its own data download tool.