If you delete something from Instagram, you expect it to be gone forever. But when security researcher Saugat Pokharel requested a copy of photos and instant messages from the photo-sharing app, he was sent data he had deleted more than a year ago, and found that the information was never completely deleted from Instagram servers.
Instagram says this was due to a flaw in its system that it now fixes, and Pokharel has been rewarded with a $ 6,000 bug bounty for highlighting the issue. As reported by TechCrunch, Pokharel discovered the breach in October last year and says it was fixed earlier this month.
“The investigator reported an issue where someone deleting pictures and messages from someone would be included in a copy of their information if they used our tool Download your information on Instagram,” an Instagram spokesman said. TechCrunch. “We have fixed the problem and have not seen any evidence of abuse. We thank the researcher for reporting this issue to us. ”
It is not clear how widespread this problem was and whether it affected all Instagram users or only a subset of them, but it is certainly not an uncommon problem. Each time we delete data from online services, there is usually a delay of some unspecified time before the data is completely deleted from the site’s servers. For Instagram, the company says it normally takes about 90 days to delete data completely. But security researchers have in the past found similar problems with other services, including Twitter, which kept messages between users for years after they were likely deleted.
In this case, the problem was only exposed because Pokharel had the option to download a copy of his data from Instagram. The company owned by Facebook introduced this download tool in 2018 to comply with EU GDPR data protection rules.
GDPR states that EU citizens have a ‘right of access’ to their data, which allows them to request a copy of any information stored by a company within a reasonable time. As we found with our experiments that exercise this right, the information you receive is not always self-explanatory, but in the case of Instagram, it is easy enough to sort through. It’s also the only easy way to find out if companies have saved your data long after you ask them to delete it.
