New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Twitter Has Been Keeping Deleted DMs for Years

If you've deleted your DMs, they may be unavailable on your phone and on the web, but Twitter is still saving them, according to data from security researcher Karan Saini that was shared today by TechCrunch.

Twitter also keeps direct messages and data sent to and from accounts that have either been deactivated or suspended, according to Saini, who discovered years-old messages in a file from an archive of data from an account that was no longer active.

A bug in a now-deprecated API used to allow him to get direct messages even after a message was deleted by both sender and recipient.

Twitter says that accounts that are deactivated and deleted are removed along with all of their data after 30 days, but TechCrunch found that's not the case.
But, in our tests, we could recover direct messages from years ago -- including old messages that had since been lost to suspended or deleted accounts.
Twitter lets you download all of the data associated with your account, even a suspended or deactivated account, which lets you see everything that the company is storing.

Saini told TechCrunch this is a "functional bug" that lets people bypass Twitter mechanisms to prevent access to these kind of accounts, but as TechCrunch points out, it's also a reminder that delete doesn't mean delete when it comes to direct messages.

Twitter told TechCrunch that it is "looking into this further to ensure we have considered the entire scope of the issue."

Tag: Twitter

Top Rated Comments

(View all)

9 months ago
Why am I not surprised...
Rating: 20 Votes
9 months ago
Why not give this a positive spin and say that Twitter is building the largest database of… anatomical images?



Rating: 12 Votes
9 months ago

The whole iCloud celebrity hack from a few years ago, does that ring any bells? So how can Apple have a perfect track record?


You're holding Apple responsible for dumb celebrities using terrible passwords?
Rating: 11 Votes
9 months ago
I love how when tech companies are caught doing nefarious things they blame it on a pesky bug.

These darn bugs keep happening!
Rating: 10 Votes
9 months ago
Does this actually surprise anyone though?
Rating: 10 Votes
9 months ago

Of course it keeps them. It's a common practice in web systems not to destroy an entity when requested, but instead set it as non-public.

Exactly! Data is very rarely deleted from databases.
Rating: 8 Votes
9 months ago
Of course it keeps them. It's a common practice in web systems not to destroy an entity when requested, but instead set it as non-public.
Rating: 8 Votes
9 months ago
The EU GDPR people will be interested in this. This is a clear violation when deleted accounts are not actually gone.
IANAL etc
Rating: 8 Votes
9 months ago

It had nothing to do with that. It still was a breach and they looked bad because of it. Therefore, they're not trustworthy.


That wasn’t a breach, the “hackers” successfully logged in with the right credentials. Get your facts straight.
Rating: 7 Votes
9 months ago

It had nothing to do with that. It still was a breach and they looked bad because of it. Therefore, they're not trustworthy.


It was not a breach.
https://www.apple.com/newsroom/2014/09/02Apple-Media-Advisory/
Rating: 7 Votes

[ Read All Comments ]