You may have deactivated or deleted a Twitter account sometime in the last several years, but rest assured, the DM’s you sent from that account could still be hanging around in the Twitter servers. This is according to data from security researcher Karan Saini via TechCrunch.
Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient — though, the bug wasn’t able to retrieve messages from suspended accounts.
Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.
Twitter claims accounts that have been deactivated and deleted are removed from the service along with all the rest of the account’s data after 30 days. However, TechCrunch says they found that to not be the case.
But, in our tests, we could recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts.
The service allows you to download all of the data associated with your account, even if it’s suspended or deactivated, and guess what comes along for the ride?
While Saini says this is a “functional bug” rather than a security flaw, it does provide anyone a “clear bypass” of the Twitter mechanisms in place designed to prevent access to suspended or deactivated accounts. It is also a strong reminder that on the internet, “deleted” is never really deleted.