Twitter Keeps Deleted Direct Messages for At Least a Decade

Last updated July 13, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

According to security researcher Karan Saini, when a user deletes direct messages on Twitter by using the “delete” button, the messages just disappear from their inbox, not the platform. What is alarming, is the fact that Twitter is not complying with the 30-day data retaining period, as direct messages that have been deleted even a decade ago can still be accessed. Although this is likely due to a bug and not a security flaw, the issue remains immensely serious, especially with the GDPR regulation hanging like the “Sword of Damocles” above the heads of online giants like Twitter.

The researcher experimented with various scenarios like messages deleted by both the sender and the recipient, or messages sent from deactivated or even deleted accounts. With the exception of the suspended accounts, all other conversations were retrievable no matter how old they were, possibly meaning that the data is stored on Twitter’s servers from the beginning of the account creation and stay there forever. As it is required by law, users have the right to request all data that online platforms keep about their accounts, so Twitter users can do this and analyze that data to see what’s in the store about them. In TechCrunch’s tests, conversations with suspended Twitter accounts that dated back in March 2016 were still retrievable.

Now, this raises a whole host of concerns for Twitter users, especially those who use the popular social media platform for activistic and radical journalism. Governments and law enforcement agencies supposedly have a very brief period in which they are able to access account information, but as it seems from the Saini discovery, this isn’t the case. Could this be a backdoor introduced on purpose by Twitter in order to provide this information to those willing to pay for it? The researcher says that this is unlikely to be the case, but the capacity of accessing what users are wrongfully made to believe as non-existent remains, and governments may have exploited this in the past.

Twitter stated that they are looking into the matter further in order to evaluate it holistically before taking any decisions on how to remedy the problem. Right now, this seems like a finding that can put them in dire position about the way they handle users data, with fines that correspond to up to 4% of their annual turnover being the standard penalizing approach.

Are you worried by this story, or is this just another drop in the bucket of “I don’t care anymore” for your online privacy? Let us know where you stand in the comments section below, and don’t forget to help us spread the word by sharing this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: