As reported by TechCrunch, independent security researcher Saugat Pokharel downloaded his data from Instagram using a tool it launched in 2018 to comply with the European Union’s GDPR privacy law.
To his surprise, Pokharel discovered that the data contained photos and private messages he’d deleted over a year ago. “Instagram didn’t delete my data even when I deleted them from my end,” he told the publication.
Pokharel reported the issue in October last year through Instagram’s bug bounty program. The company says it was due to a bug that was addressed last month, and the researcher has been awarded $6,000 for discovering it.
“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram,” said an Instagram spokesperson. “We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”
Instagram isn’t the first company to hang on to user data. Back in February 2019, it was discovered that Twitter had been retaining direct messages for years after their deletion, even if the accounts had been suspended or deactivated. The service fixed the issue last year.
In other Instagram news, owner Facebook is facing a potential $500 billion lawsuit over the app’s alleged biometric data harvesting practices.
Center image credit: PixieMe via Shutterstock