A bug in Facebook-owned Instagram stopped the photo-sharing app from removing photos and private direct messages from its servers even when the users had deleted those, the media reported.
Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, his downloaded data contained photos and private messages with other users that he had previously deleted, reports Tech Crunch.
On Instagram, it takes usually about 90 days for deleted data to be fully removed from its systems.
But in Pokharel’s case, the Instagram data he had deleted was still there even after more than a year.
Pokharel reported the issue to Instagram in October last year via its bug bounty program.
The bug was fixed earlier this month.
“We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” an Instagram spokesperson was quoted as saying in the report on Thursday.
Pokharel also received $6,000 as bug bounty payout from Instagram.
It’s a near-identical issue that Twitter fixed last year, in which users could access long-deleted direct messages, including messages sent to and from suspended and deactivated accounts, using its own data download tool.
Last year, micro-blogging site Twitter faced the similar issue when it was accused of retaining messages shared on its platform including deleted messages along with data shared and received from accounts that have been suspended or deactivated.
Security researcher Karan Saini found years-old messages in a file from a data archive obtained through the website from accounts that were no longer on Twitter.
As part of its privacy policies, Twitter says that anyone wanting to leave the service can have their account “deactivated and then deleted” and after a 30-day grace period, the account, along with its data, disappears from the platform.