A security researcher was awarded $6,000 for discovering that Instagram saved private photos and messages on its servers long after they were deleted by the user.
Independent security researcher Saugat Pokharel found out by downloading his data from Instagram. This feature was launched in 2018 to comply with the new European regulations on personal data. The downloaded files contained photos and private messages of the user that he had previously deleted.
Instagram had already warned that it took around 90 days to erase such data once the user himself had done so, but Pokharel realized that these were stuff that he had disposed of more than a year ago.
“Instagram didn’t delete my data even when I deleted them from my end,” he clarified to TechCrunch.
Pokharel reported the bug in October 2019 through an Instagram special big bounty program. The bug was fixed in early August.
“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” said a spokesman for the social network.
It is not clear how many users were affected by the bug, but apparently it is not an uncommon problem. Whenever we remove something from online services there is usually a time delay until they completely disappear from the site’s servers.