If you’ve deleted your DMs, they may be unavailable on your phone and on the web, but Twitter is still saving them, according to data from security researcher Karan Saini that was shared today by TechCrunch.
Twitter also keeps direct messages and data sent to and from accounts that have either been deactivated or suspended, according to Saini, who discovered years-old messages in a file from an archive of data from an account that was no longer active.
A bug in a now-deprecated API used to allow him to get direct messages even after a message was deleted by both sender and recipient.
Twitter says that accounts that are deactivated and deleted are removed along with all of their data after 30 days, but TechCrunch found that’s not the case.
But, in tests, the direct messages were recovered from years ago — including old messages that had since been lost to suspended or deleted accounts.
Twitter lets you download all of the data associated with your account, even a suspended or deactivated account, which lets you see everything that the company is storing.
Saini told TechCrunch this is a “functional bug” that lets people bypass Twitter mechanisms to prevent access to this kind of accounts, but as TechCrunch points out, it’s also a reminder that delete doesn’t mean delete when it comes to direct messages.
Twitter told TechCrunch that it is “looking into this further to ensure we have considered the entire scope of the issue.”