Twitter caught storing deleted direct messages, even from deleted or suspended accounts

Posted at 6:26 PM, Feb 16, 2019
and last updated 2019-02-16 19:26:56-05

The tech industry has had a slew of privacy issues regarding consumers recently; Twitter is no exception.

According to a report from security researcher Karan Saini from TechCrunch, Twitter has been storing their user’s deleted direct messages and data sent to and from deactivated and suspended accounts, even though their privacy policy says they don’t.


Twitter’s privacy policy says, “We keep Log Data for a maximum of 18 months. When deactivated, your Twitter account, including your display name, username, and public profile, will no longer be viewable on, Twitter for iOS, and Twitter for Android. For up to 30 days after deactivation, it is still possible to restore your Twitter account if it was accidentally or wrongfully deactivated.”

Despite Twitter’s privacy policy, Saini found messages from long before the 18-month grace period in his data obtained through the website for deactivated Twitter accounts. He also found a similar bug that allowed him to use a since-deprecated API to retrieve direct messages after a message was deleted by the sender and the recipient.

MGN Photo – Julie Cardona

Twitter has issued a statement that they are “looking into this further to ensure we have considered the entire scope of the issue.” But until then, they might be liable to pay up to four percent of their annual income for these privacy violations, according to Europe’s General Data Protection Regulation.

This discovery, along with other recent discrepancies including failing to protect private tweets and surfacing deleted location information, only adds fuel to the fire for people who have begun to distrust how social media companies handle consumers private data.