Everything on the Internet might as well be written in permanent marker—and that includes Twitter direct messages.
Karan Saini, a security researcher, said he found a bug that shows direct messages stored in his Twitter archive, which include messages that were deleted and sent between accounts that have since been suspended or deactivated. Saini reported the bug through HackerOne, a bug bounty platform that works with Twitter to reward ethical hackers who disclose vulnerabilities.
A Twitter spokesperson said the latest report is “still open,” so they could not publicly comment on specifics. However, the spokesperson called the issue a “functional bug” rather than a “security bug.”
But think of it this way: Even if you delete an email, that means the other person still has a copy of it in their inbox. Twitter works the same way. The company’s Help Center warns that a user can delete their DM conversations, but the other person will still have a record in their inbox.