Report: Twitter keeps your Direct Messages even years after deleting them

One major trick that has been used by people to erase previous chats via Twitter DMs was to delete the entire chat. This ultimately would delete the chat from your Direct Messages section on Twitter.

It has emerged that Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini.

Advertisement - Continue reading below

Saini said he found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter.

He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient, though, the bug wasn’t able to retrieve messages from suspended accounts.

Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.

Direct messages used to let users “unsend” messages from someone else’s inbox, simply by deleting it from their own. Twitter changed this a few years ago, and now only allows a user to delete messages from their account.

“Others in the conversation will still be able to see direct messages or conversations that you have deleted,” Twitter says in a help page.

Twitter also says in its privacy policy that anyone wanting to leave the service can have their account “deactivated and then deleted.” After a 30-day grace period, the account disappears, along with its data.

But tests show that you could recover direct messages from years ago including old messages that had since been lost to suspended or deleted accounts. By simply downloading your account’s data, it’s possible to download all of the data Twitter stores on you.

This conversation, dated March 2016, with a suspended Twitter account was still retrievable today

Image Source: Tech Crunch

Saini says this is a “functional bug” rather than a security flaw, but argued that the bug allows anyone a “clear bypass” of Twitter mechanisms to prevent accessed to suspended or deactivated accounts.

This is a privacy matter, and a reminder that “delete” doesn’t mean delete especially with your direct messages. That can open up users, particularly high-risk accounts like journalist and activists, to government data demands that call for data from years earlier.

That’s despite Twitter’s claim that once an account has been deactivated, there is “a very brief period in which we may be able to access account information, including tweets,” to law enforcement.

A Twitter spokesperson said the company was “looking into this further to ensure we have considered the entire scope of the issue.”

When asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter’s spokesperson had “nothing further” to add.

Twitter is one of the world’s most prominent social networks and makes it easier to share thoughts and to communicate with friends. However, the privacy and security issues are among the many reasons for users to be mindful of what they do with social media.