Instagram has awarded a security researcher a $6,000 bug bounty payout after he found photos and private direct messages on the platform's servers that he had deleted more than a year ago (via TechCrunch).
Saugat Pokharel discovered that his content hadn't been removed in October after downloading a copy of his data from the photo-sharing app. Instagram introduced the download option two years ago to comply with the European Union's data privacy GDPR regulations.
Instagram said the reason Pokharel's information had never been entirely removed from its servers was down to a bug that it's now fixed.
"The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram," a spokesperson for Instagram told TechCrunch. "We've fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us."
The issue is almost identical to one that Twitter fixed last year, in which a security researcher discovered years-old messages in a file from an archive of data from an account that was no longer active.
Although the retrieval of deleted data was bug-related in both cases, it's worth remembering that when you opt to delete content from social media accounts, it can still hang around on company servers for some time.
Twitter says that accounts that are deactivated and deleted are removed along with all of their data after 30 days, while Instagram says it takes about 90 days for deleted data to be fully removed from its systems.
Top Rated Comments
While (RequestForDownload == TRUE; DO
IF (OBJECT == 'MarkedForDeletion')
THEN ExcludefromDownload==TRUE;
DONE
END;
Just read their own words “The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram”