It seems Instagram wasn’t quite honest with its users when it gave them the option to permanently delete their messages and photos.

Security researcher Saugat Pokharel has clinched a $6,000 bug bounty after noticing that the service kept messages and photos on its servers long after users wiped them, TechCrunch reports. The discovery was possible thanks to Instagram‘s own data download tool, which the company released in 2018 to comply with GDPR.

It’s pretty standard practice for companies to retain freshly deleted data on their servers until it can be properly wiped. Instagram says it takes 90 days to fully erase such data, but the researcher found he could still access messages and photos deleted over a year ago using the company’s data download tools.

Pokharel reported the kink to Instagram in October 2019, but the issue was only fixed earlier this month.

“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram,” Instagram told TechCrunch. “We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”

We thank him too.

Read next: Revolutionary technique lets astronomers find a huge planet that’s just like Saturn

Pssst, hey you!

Do you want to get the sassiest daily tech newsletter every day, in your inbox, for FREE? Of course you do: sign up for Big Spam here.