Twitter Has Been Keeping Deleted DMs for Years

Friday February 15, 2019 11:53 am PST by Juli Clover
If you've deleted your DMs, they may be unavailable on your phone and on the web, but Twitter is still saving them, according to data from security researcher Karan Saini that was shared today by TechCrunch.

Twitter also keeps direct messages and data sent to and from accounts that have either been deactivated or suspended, according to Saini, who discovered years-old messages in a file from an archive of data from an account that was no longer active.

A bug in a now-deprecated API used to allow him to get direct messages even after a message was deleted by both sender and recipient.

Twitter says that accounts that are deactivated and deleted are removed along with all of their data after 30 days, but TechCrunch found that's not the case.
But, in our tests, we could recover direct messages from years ago -- including old messages that had since been lost to suspended or deleted accounts.
Twitter lets you download all of the data associated with your account, even a suspended or deactivated account, which lets you see everything that the company is storing.

Saini told TechCrunch this is a "functional bug" that lets people bypass Twitter mechanisms to prevent access to these kind of accounts, but as TechCrunch points out, it's also a reminder that delete doesn't mean delete when it comes to direct messages.

Twitter told TechCrunch that it is "looking into this further to ensure we have considered the entire scope of the issue."

Tag: Twitter
[ 95 comments ]

Top Rated Comments

(View all)

Avatar
AlexH
12 months ago
Why am I not surprised...
Rating: 20 Votes
Avatar
AngerDanger
12 months ago
Why not give this a positive spin and say that Twitter is building the largest database of… anatomical images?



Rating: 12 Votes
Avatar
dumastudetto
12 months ago

The whole iCloud celebrity hack from a few years ago, does that ring any bells? So how can Apple have a perfect track record?


You're holding Apple responsible for dumb celebrities using terrible passwords?
Rating: 11 Votes
Avatar
CerebralX
12 months ago
Does this actually surprise anyone though?
Rating: 10 Votes
Avatar
TrenttonY
12 months ago
I love how when tech companies are caught doing nefarious things they blame it on a pesky bug.

These darn bugs keep happening!
Rating: 10 Votes
Avatar
StevieD100
12 months ago
The EU GDPR people will be interested in this. This is a clear violation when deleted accounts are not actually gone.
IANAL etc
Rating: 8 Votes
Avatar
rafark
12 months ago
Of course it keeps them. It's a common practice in web systems not to destroy an entity when requested, but instead set it as non-public.
Rating: 8 Votes
Avatar
nitant
12 months ago

Of course it keeps them. It's a common practice in web systems not to destroy an entity when requested, but instead set it as non-public.

Exactly! Data is very rarely deleted from databases.
Rating: 8 Votes
Avatar
dumastudetto
12 months ago

It had nothing to do with that. It still was a breach and they looked bad because of it. Therefore, they're not trustworthy.


It was not a breach.
https://www.apple.com/newsroom/2014/09/02Apple-Media-Advisory/
Rating: 7 Votes
Avatar
FatMax
12 months ago

It had nothing to do with that. It still was a breach and they looked bad because of it. Therefore, they're not trustworthy.


That wasn’t a breach, the “hackers” successfully logged in with the right credentials. Get your facts straight.
Rating: 7 Votes

[ Read All Comments ]