A Bug Retained Deleted Photos And Messages On Instagram Server


As per an independent security researcher Saugat Pokharel, Instagram stored year old deleted photos and messages on its server. Moreover, the data could be easily recovered using the in-app download tool.

This is something that we as a user of this platform would never expect from Instagram. Besides, this is an invasion of privacy as the data deleted over a year ago still can be accessed easily from the server.

This Instagram server bug was found by Saugat in a $6000 bug bounty program last year in October. Notably, Saugat found out about this breach when he downloaded his Instagram data using the in-app feature.


The downloaded Instagram data contained all the images and direct messages which were deleted over a year ago. However, as TechCrunch reports, Instagram has fixed this bug earlier this month. That’s some relief.

Instagram claims it takes about 90 days to completely delete the data from its server

This bug also refutes the claims of Instagram, which says that it deletes the data from its server in about 90 days. As the researcher could recover deleted data from over a year ago.

As per a company spokesperson, there is no evidence of abuse of this bug and it was eventually fixed earlier this month. Apparently, there are no numbers that can reveal how widespread this issue was.


Moreover, it cannot be said for sure whether this bug affected all the Instagram users or limited users. Whatever the case may be, fortunately for the Instagram users, the bug is now removed.

It is a common practice by companies to hold on to the data before deleting them permanently from their server. However, keeping the data safe and sound in its server after deletion more than a year ago raises some questions.

Twitter also had a near-identical issue last year with direct messages

Meanwhile, the issue is similar to what we came across with Twitter last year. Notably, Twitter used to save direct messages, even from suspended and deactivated accounts. Users could even download the data using the download tool.


The good thing here is thanks to the availability of the download tool, Pokharel could find this bug. This download tool was introduced by Instagram in 2018.

The tool complies with European data rules, which give users to have “right of access” to their data. This allows them to download their personal data from any platform within a specified time frame.

Notably, this is not the first incident where a company has kept the deleted data over the prescribed time limit. Such issues should be properly scrutinized, as it is a matter of user safety.