Under Twitter's guidelines, the company wrote that "there is a very brief period in which [it] may be able to access account information, including Tweets." You can only restore your account with all its data intact within 30 days, after all. Twitter accepts requests from law enforcement to preserve records, but the platform said it will only keep a temporary snapshot of relevant account records for only 90 days.
In addition, the security researcher discovered that those archives could also come with messages you've previously deleted or were deleted by the person you were chatting with. While Twitter now only removes DMs you delete from your own inbox, Twitter used to scrub them from the recipient's inbox, as well. It looks like the platform can still keep a copy of them either way.
Saini said the records remain accessible due to a "functional bug" rather than a security flaw. Whatever it is that causes this issue, it's clearly a privacy problem -- one that Twitter still doesn't have a full grasp of. A Twitter spokesperson told TechCrunch that it's "looking into this further to ensure [the company has] considered the entire scope of the issue."