While Twitter currently allows users to delete direct messages (DMs) from their end (but not from the recipient's side of the conversation), it appears that those messages have been kept by the company for years now. That's according to security researcher Karan Saini, who found proof of it after downloading his archived data from the social networking site.
It's not clear how long Twitter has been storing those presumably deleted private messages, but Saini said the "functional bug" affects DMs from deactivated or suspended accounts as well as messages that have been deleted both by the sender and recipient. It's important to note that the bug doesn't expose the data to anyone but only to the sender and recipient of a particular (deleted) message. However, Saini's findings show Twitter's commitment to transparency in a bad light.
The company didn't refute the security researcher's claim and vowed to take a deeper look into the matter. In its guidelines for law enforcement, Twitter claims that it has a "very brief" window to gain access to information associated with an account after it has been deactivated.
That said, the bug isn't as serious a security concern as the one that exposed users' conversations and DMs to third-parties for over a year since May 2017. The issue was fixed late last year.