A security researcher found that Instagram retained photos and private direct messages on its server even after deletion. He was awarded $6,000  bug bounty pay. The bug was reported last year in October and it was fixed earlier this month by Instagram.

According to a report by TechCrunch, Instagram says that it takes about 90 days for deleted data to be completely removed from its systems, networks, and caches. However, the researcher, Saugat Pokharel found that Instagram’s servers still had the data that he had deleted more than a year ago.

After using Instagram‘s data download tool, he found photos and private messages with other users that he had previously deleted. He reported the bug to Instagram and was awarded $6,000. The incident was confirmed by a spokesperson for Instagram in a statement to TechCrunch. He added that the issue had been fixed and that they did not find any evidence of abuse.