Security researcher Saugat Pokharel has clinched a $6,000 bug bounty after noticing that the service kept messages and photos on its servers long after users wiped them, TechCrunch reports. The discovery was possible thanks to Instagram’s own data download tool, which the company released in 2018 to comply with GDPR. It’s pretty standard practice for companies to retain freshly deleted data on their servers until it can be properly wiped. Instagram says it takes 90 days to fully erase such data, but the researcher found he could still access messages and photos deleted over a year ago using the company’s data download tools. Pokharel reported the kink to Instagram in October 2019, but the issue was only fixed earlier this month. “The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram,” Instagram told TechCrunch. “We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.” We thank him too.