CYBER NEWS

Instagram Caught Keeping Deleted User Data Despite GDPR

Instagram has violated the privacy of its users by retaining peoples’ photos and private direct messages on its servers even after people deleted them.

The vulnerability was discovered by researcher Saugat Pokharel when he downloaded his data from Instagram last year. This is how he came to discover that the data included photos and messages he had previously removed. The researcher got a reward of $6,000 for bringing this issue up through Instagram’s bug bounty program.

In a conversation with TechCrunch, Pokharel said that Instagram didn’t delete his data even when he deleted them from his end. Once he realized this issue, he reported it. This was in October 2019.

Instagram Vulnerability Explained

The bug existed in a feature that Instagram added back in 2018 in accordance with GDPR. The regulations required companies operating in Europe to notify the authorities within 72 hours of any data breach, or face the financial penalties. The GDPR feature allowed people to download their data in a way similar to what Facebook, the parent company, provided to its users.

Related:
Security researchers have detected a new phishing attack that uses WhatsApp to hack into potential victims? Instagram accounts.
Hackers Use WhatsApp to Hack into Instagram Accounts

This is not the first case of Instagram not complying with people’s data being deleted. Last year, another researcher, Karan Saini, discovered that the photo sharing service jept direct messages for years, even when deleted. Saini also revealed that Instagram sent the data to and from accounts that were deactivated or suspended.

The good news is that the bug discovered by Pokharel doesn’t seem to have been exploited in the wild.


Last year, security researcher Laxman Muthiyah discovered a critical vulnerability that could have allowed remote attackers to reset the password of Instagram accounts, thus obtaining full access to the compromised accounts. The vulnerability resided in the password recovery mechanism in the mobile version of Instagram.

The vulnerability was reported to Facebook but it took some time for Facebook’s security team to reproduce the issue as the information in the researcher’s report was not enough. However, the proof-of-concept video convinced them that he attack was feasible.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...