A security researcher has discovered that Instagram has been retaining photos and direct messages for more than a year after users have deleted them. Instagram has awarded Saugat Pokharel a $6,000 bug bounty payout.
Pokharel discovered that his content hadn’t been removed after he downloaded a copy of his data from the photo-sharing service. Instagram initiated the download option two years ago to comply with the European Union’s data privacy GDPR regulations.
“Instagram didn’t delete my data even when I deleted them from my end,” Pokharel told TechCrunch.
Instagram blames a bug that’s now been fixed, and says there is no evidence of abuse:
“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram,” a spokesperson for Instagram told TechCrunch. “We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”
The issue mirrors one that Twitter fixed last year, where users were still able to access long-deleted direct messages sent to and from suspended accounts, using that service’s data download tool.