Skip to main content
  1. Home
  2. Social Media
  3. News

Twitter keeps your direct messages, even years after you delete them

By

Twitter is keeping copies of direct messages sent through the social network even years after users delete them, according to security researcher Karan Saini.

Saini, who told TechCrunch that he harbored “concerns” over the long retention of data, found old direct messages for Twitter accounts that were already taken down in an archive acquired through the social network’s website  He also revealed a previously undisclosed bug that allows him to use a since-deprecated API to retrieve the direct messages even after they were deleted by both the sender and the recipient.

Recommended Videos

Twitter’s privacy policy claims that it is possible for users to restore their accounts for 30 days after deactivation, in case the move to cancel was a mistake. After the 30-day period, Twitter supposedly deletes the data associated with the account, including the direct messages. However, this is apparently not the case, according to Saini’s discovery.

Related

TechCrunch’s own tests confirmed that it is possible to recover DMs from years ago, including those that were made by suspended and deleted accounts. Saini also tweeted a clarification on what his findings meant for the regular user.

Folks are having some trouble understanding this, so here is a short summary:
DMs are never “deleted”—rather only withheld from appearing in the UI. The archive feature lets you view these DMs, as well as any others with now suspended, or deactivated users https://t.co/IXRdT6G9i6

— Karan Saini (@squeal) February 16, 2019

Saini refers to the issue as a “functional bug,” instead of a security flaw, but it is also a privacy matter, as Twitter seemingly has a different definition of delete compared to its users. When users delete their Twitter accounts or their direct messages on the social network, the expectation is that the data is gone for good, not floating around in archives, waiting to be retrieved.

Twitter previously had trouble with direct messages, with a security bug revealed last year that possibly routed messages sent to business accounts to registered developers. Twitter also just recently suffered a privacy scare, when a bug fix for the app on Android devices somehow changed settings for private tweets for some users, exposing them to the public.

Twitter, one of the world’s most prominent social networks, makes it easier to share thoughts and to communicate with friends. However, the privacy and security issues are among the many reasons for users to be mindful of what they do with social media.

Editors’ Recommendations

Topics
Aaron Mamiit
Aaron Mamiit
Contributor
Aaron received a NES and a copy of Super Mario Bros. for Christmas when he was 4 years old, and he has been fascinated with…
Update your Twitter app right now if you’re on Android
Hand holding a Twitter phone

Twitter says it has patched a vulnerability inside its Android app that could have potentially let malicious actors view information of private accounts and take over profiles through an intricate back-end process. If a hacker managed to exploit the loophole, they could send direct messages and tweets on the target account’s behalf.

The social network claims so far it hasn’t discovered any affected user, nor found evidence of whether a third-party service has taken advantage of the bug. However, Twitter is reaching out to the people whose details may have been exposed. It’s unclear how long the vulnerability was left out in the open. The issue is not present on Twitter’s iOS app.

Read more
Twitter’s new Privacy Center lets you know what’s happening with your data
twitter

Twitter says it wants to be more upfront about the way it handles user data, and has launched a new Privacy Center with that goal in mind.

Admitting that “we have room for improvement” when it comes to communicating with its users about how it protects their privacy, Twitter on Monday explained what the new Privacy Center is all about.

Read more
Twitter is about to delete inactive accounts. Here’s how to keep yours
Hand holding a Twitter phone

If you haven’t checked in on Twitter in a while, you might want to log in; otherwise, you may risk your account getting deleted. Inactive Twitter users will soon be kicked off of the site as Twitter plans to remove all inactive accounts beginning next month. 

A BBC news reporter, Dave Lee, broke the news on Twitter, saying that the social network plans to delete accounts that have remained dormant for more than six months. That time period remains vague, however, since “more than six months” could mean anything from seven months to more than seven years. 

Read more