Twitter users may need to start thinking twice before sending direct messages on the popular social media platform.
According to a report from TechCrunch, Twitter currently stores messages that have been sent by users, even if the messages have been deleted. So while active users may think they’ve gotten rid of a message because it’s no longer viewable from their side of the account, it’s actually being stashed away by the company. Twitter is also reportedly saving data sent to and from suspended and deactivated accounts.
This information comes from security researcher Karan Saini, who said he found messages that were several-years-old located in a file from his achieved data obtained through the website for accounts that were no longer on Twitter.
When a user attempts to deactivate an account, Twitter prompts them and explains that there is a grace period and the company will keep your information and account intact for up to 30 days. After those 30 days, the account will be deleted along with all its data, but that doesn’t seem to be the case. TechCrunch conducted its own tests and proved Saini’s claims to be valid.
“But, in our tests, we could recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts. By downloading your account’s data, it’s possible to download all of the data Twitter stores on you,” the tech blog explained.
The average user might not consider this a major issue, as Twitter isn’t actually leaking the information, but Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.
"Twitter stores your DMs on its servers!1`1!" pic.twitter.com/aSfswVTwob
— The Register (@TheRegister) January 16, 2018
Initially, when a user deletes a direct message from their personal inbox, the message was also removed from the recipients’ inbox, but Twitter has since changed that.
“Others in the conversation will still be able to see direct messages or conversations that you have deleted,” Twitter states in a help page.
Saini went on to say that this isn’t exactly a security flaw but more of a “functional bug” found on the platform. He also mentioned that he previously discovered another bug that gave him access to Twitter DMs last year. The bug has recently been reported and the API has now been deprecated.
A Twitter spokesperson told TechCrunch that the company is currently “looking into this further to ensure we have considered the entire scope of the issue.”
In other Twitter-related news, CEO Jack Dorsey recently announced that the platform might offer a “clarification” feature instead of the highly requested edit button, according to a report from Mashable.