With the arrival of the GPDR for data protection and privacy, Instagram has set a new rule — if a user deletes photos or messages from his profile, they can only be stored on the servers for up to 90 days. However, an Instagram bug kept the deleted data longer, well over a year.
Security researcher Saugat Pokharel discovered the Instagram security bug in October 2019.
In 2018, Instagram included a tool under the European GDPR that entitles Europeans to access their data that allows users to download all their personal account data from servers.
Using this tool, in October 2019, Pokharel requested a copy of the photos and direct messages from the app, and the copy he subsequently received contained information that he had deleted more than a year ago.
Instagram has stepped up, claiming that this was due to a bug in its system that is now fixed, and Pokharel has been rewarded with an amount of $6,000 for discovering the problem.
According to Instagram, the problem did not go further, and there was no security breach.