Skip to main content

Twitter keeps your direct messages, even years after you delete them

Twitter is keeping copies of direct messages sent through the social network even years after users delete them, according to security researcher Karan Saini.

Saini, who told TechCrunch that he harbored “concerns” over the long retention of data, found old direct messages for Twitter accounts that were already taken down in an archive acquired through the social network’s website  He also revealed a previously undisclosed bug that allows him to use a since-deprecated API to retrieve the direct messages even after they were deleted by both the sender and the recipient.

Recommended Videos

Twitter’s privacy policy claims that it is possible for users to restore their accounts for 30 days after deactivation, in case the move to cancel was a mistake. After the 30-day period, Twitter supposedly deletes the data associated with the account, including the direct messages. However, this is apparently not the case, according to Saini’s discovery.

Please enable Javascript to view this content

TechCrunch’s own tests confirmed that it is possible to recover DMs from years ago, including those that were made by suspended and deleted accounts. Saini also tweeted a clarification on what his findings meant for the regular user.

https://twitter.com/iasni/status/1096743762007486465

Saini refers to the issue as a “functional bug,” instead of a security flaw, but it is also a privacy matter, as Twitter seemingly has a different definition of delete compared to its users. When users delete their Twitter accounts or their direct messages on the social network, the expectation is that the data is gone for good, not floating around in archives, waiting to be retrieved.

Twitter previously had trouble with direct messages, with a security bug revealed last year that possibly routed messages sent to business accounts to registered developers. Twitter also just recently suffered a privacy scare, when a bug fix for the app on Android devices somehow changed settings for private tweets for some users, exposing them to the public.

Twitter, one of the world’s most prominent social networks, makes it easier to share thoughts and to communicate with friends. However, the privacy and security issues are among the many reasons for users to be mindful of what they do with social media.

Aaron Mamiit
Aaron received an NES and a copy of Super Mario Bros. for Christmas when he was four years old, and he has been fascinated…
LG not only wants to keep your leafy greens fresh, but help you grow them too
Lg Indoor Garden

This story is part of our continuing coverage of CES 2020, including tech and gadgets from the showroom floor.

Indoor gardens seem like something more at home at CES 2000 than CES 2020. But electronics maker LG doesn't think the idea of indoor gardening is past its prime and is showing off an indoor gardening system that can be attached to the side of its refrigerators.

Read more
I paid Meta to ‘verify’ me — here’s what actually happened
An Instagram profile on an iPhone.

In the fall of 2023 I decided to do a little experiment in the height of the “blue check” hysteria. Twitter had shifted from verifying accounts based (more or less) on merit or importance and instead would let users pay for a blue checkmark. That obviously went (and still goes) badly. Meanwhile, Meta opened its own verification service earlier in the year, called Meta Verified.

Mostly aimed at “creators,” Meta Verified costs $15 a month and helps you “establish your account authenticity and help[s] your community know it’s the real us with a verified badge." It also gives you “proactive account protection” to help fight impersonation by (in part) requiring you to use two-factor authentication. You’ll also get direct account support “from a real person,” and exclusive features like stickers and stars.

Read more
Here’s how to delete your YouTube account on any device
How to delete your YouTube account

Wanting to get out of the YouTube business? If you want to delete your YouTube account, all you need to do is go to your YouTube Studio page, go to the Advanced Settings, and follow the section that will guide you to permanently delete your account. If you need help with these steps, or want to do so on a platform that isn't your computer, you can follow the steps below.

Note that the following steps will delete your YouTube channel, not your associated Google account.

Read more