Skip to main content

Instagram kept deleted photos and messages on its servers for more than a year

Instagram kept deleted photos and messages on its servers for more than a year


The files were retained due to a now-fixed bug, says Instagram

Share this story

Illustration by Alex Castro / The Verge

When you delete something from Instagram you expect it to be gone for good. But when security researcher Saugat Pokharel requested a copy of photos and direct messages from the photo-sharing app, he was sent data he’d deleted more than a year ago, showing that the information had never been entirely removed from Instagram’s servers.

Instagram says this was due to a bug in its system that it’s now fixed, and Pokharel has been rewarded a $6,000 bug bounty for highlighting the problem. As reported by TechCrunch, Pokharel discovered the bug in October last year and says it was fixed earlier this month.

“We’ve fixed the issue and have seen no evidence of abuse.”

“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram,” a spokesperson for Instagram told TechCrunch. “We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”

It’s not clear how widespread this issue was and whether it affected all Instagram users or only a subset of them, but it’s certainly not an uncommon problem. Whenever we delete data from online services there is usually a lag of some unspecified time before the data is fully removed from the site’s servers. For Instagram, the company says it usually takes around 90 days to completely remove data. But security researchers have found similar issues with other services in the past, including Twitter, which retained direct messages between users for years after they were supposedly deleted.

In this case, the problem was only exposed because Pokharel had the option to download a copy of his data from Instagram. The Facebook-owned company introduced this download tool in 2018 to comply with the EU’s data privacy GDPR regulations.

GDPR mandates that EU citizens have a “right of access” to their data, allowing them to request a copy of all the information a company stores on them within a reasonable amount of time. As we found with our experiments exercising this right, the information you receive is not always self-explanatory, but in the case of Instagram it’s easy enough to sort through. It’s also the only easy way to find out if companies have been keeping your data long after you asked them to delete it.