Twitter keeps direct messages that have been shared on its platform for years even after the users have deleted them. Even the data from the accounts that have been deactivated and suspended are retained by the social media website, according to security researcher Karan Saini.
Saini found out years old messages in a file form of an archive of the data he obtained through the website from accounts that were no longer active. Saini also reported a similar bug that was found a year ago but was withheld until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient. Nevertheless, the bug was not able to retrieve data from the accounts that had been suspended.
Saini told TechCrunch that he had “concerns” that Twitter holds the data for so long.
However, according to TechCrunch, who tested the credibility of this claim, the direct messages from years ago were recovered–including the messages that were sent by now suspended accounts. The report adds that by downloading the account’s data, users can download all of the data Twitter stores on you.
According to Saini, this is a “functional bug” rather than a “security flaw”, but it can offer “clear bypass” of Twitter mechanism accessed to suspended or deactivated accounts to anyone.
Nevertheless, this bug has the potential to come out as a security flaw. It should be kept in mind that “delete” does not mean delete — especially with your direct messages. This bug can potentially open up users, particularly high-risk accounts like journalist and activists to vulnerability.
This is despite Twitter’s claim that once an account has been suspended, there is “a very brief period in which we may be able to access account information, including tweets,” to law enforcement.
A Twitter spokesperson said the company was “looking into this further to ensure we have considered the entire scope of the issue.”
The fact that Twitter retains data from years-old conversation can put the company in a legal grey area, especially since Europe’s new data protection rule allows users to demand that a company deletes their data.
Companies can be fined up to four percent of their annual turnover for violating GDPR rules.