Twitter is keeping copies of direct messages sent through the social network even years after users delete them, according to security researcher Karan Saini.
Saini, who told TechCrunch that he harbored “concerns” over the long retention of data, found old direct messages for Twitter accounts that were already taken down in an archive acquired through the social network’s website He also revealed a previously undisclosed bug that allows him to use a since-deprecated API to retrieve the direct messages even after they were deleted by both the sender and the recipient.
TechCrunch’s own tests confirmed that it is possible to recover DMs from years ago, including those that were made by suspended and deleted accounts. Saini also tweeted a clarification on what his findings meant for the regular user.
Saini refers to the issue as a “functional bug,” instead of a security flaw, but it is also a privacy matter, as Twitter seemingly has a different definition of delete compared to its users. When users delete their Twitter accounts or their direct messages on the social network, the expectation is that the data is gone for good, not floating around in archives, waiting to be retrieved.
Twitter previously had trouble with direct messages, with a security bug revealed last year that possibly routed messages sent to business accounts to registered developers. Twitter also just recently suffered a privacy scare, when a bug fix for the app on Android devices somehow changed settings for private tweets for some users, exposing them to the public.
Twitter, one of the world’s most prominent social networks, makes it easier to share thoughts and to communicate with friends. However, the privacy and security issues are among the many reasons for users to be mindful of what they do with social media.