Deleted iPhone Messages and Photos Are Reappearing

When iOS 26 rolled out, thousands of iPhone users discovered something uncomfortable: messages, photos, and notes they had deliberately deleted, in some cases years ago, were reappearing on their devices. For many, the content flooding back stretched four or more years into the past. As MacObserver reported, this was not a handful of stray files. Users were seeing thousands of items return. Apple did not issue a public statement in response.

Then the story got more serious. On 9 April 2026, 404 Media reported that the FBI had recovered deleted Signal messages from a defendant’s iPhone during a federal trial in Texas, not by breaking Signal’s encryption, but by extracting data from iOS’s internal notification database. Signal had been deleted from the device – but the FBI extracted the content anyway.

These are two separate issues, but they point to the same reality: deleting something on your iPhone does not mean it is gone.

Why Deleted iPhone Messages Keep Coming Back After iOS 26

The iCloud reappearance issue comes down to how Apple handles deletion. When you delete a message on your device, you are removing it locally. Unless you also delete it from iCloud, Apple retains it on its servers. When iOS re-syncs after a major update, it can pull that content back down to your device.

According to Apple’s official support documentation, deleted messages move to a Recently Deleted folder for 30 days, after which they are removed from your devices. They are then permanently deleted from iCloud after a further 10 days, giving a total window of 40 days. The iOS 26 reports suggest that content well beyond that window was still being retained in some form, accessible enough to be re-surfaced by a software update. As one Apple Community user wrote: “What are the implications that these ‘deleted’ messages are STILL in circulation when the user clearly intended to delete them YEARS ago?”

The issue was reportedly flagged during iOS 26 beta testing, as MacRumors forum users confirmed, which suggests that Apple may have had visibility of the problem before the public release.

The iOS Notification Database Flaw Used by the FBI

The CVE-2026-28950 vulnerability is a different problem entirely, and a more serious one. When Signal’s message previews were enabled on a defendant’s iPhone, iOS was caching the content of incoming notifications in its internal push notification database. That data persisted for an unspecified period even after the messages were deleted and the Signal app was removed from the device entirely. Notably, the issue did require physical device access in order to exploit the flaw.

As 404Media reported on the event, clarifying the methodology and the type of messages that were extracted: “Messages were recovered from Sharp’s phone through Apple’s internal notification storage. Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing)”

Signal’s encryption was not broken. The vulnerability existed entirely within Apple’s operating system, one layer below where Signal’s protections operate. As BleepingComputer noted, Apple confirmed the flaw but did not clarify how long notification data was retained or whether it had been exploited in other cases.

What the iOS 26.4.2 Patch Fixes and What It Does Not

Apple released iOS 26.4.2 on 22 April 2026, patching CVE-2026-28950 with what it described as “improved data redaction.” Signal confirmed that once the update is installed, all inadvertently preserved notifications will be deleted and no future notifications will be retained for deleted apps. No additional action is needed beyond installing the update.

However, iOS 26.4.2 does not fix the iCloud data retention behaviour behind the mass content reappearance issue. If you have updated and are still seeing old messages return, that is the iCloud sync problem, which remains unaddressed by Apple.

What you should do now:

1. Update to iOS 26.4.2 immediately via Settings, then General, then Software Update
2. In Signal, go to Settings, then Notifications, then Notification Content, and set it to “Name Only” or “No Name or Content” to prevent message content from being written to system logs
3. To permanently delete iMessages from iCloud, delete them directly in the Messages app on your device while Messages in iCloud is enabled. This syncs the deletion across all your devices and iCloud. You can also open the Recently Deleted folder in Messages and delete from there to remove them immediately without waiting for the 30-day window to expire. Note: iMessages cannot be managed or deleted via icloud.com, unlike photos or files
4. Enable Advanced Data Protection in iCloud via Settings, your Apple ID, then iCloud, then Advanced Data Protection, to extend end-to-end encryption to your stored data

What This Means for Your Privacy

The iOS 26 episode is a concrete reminder that data you believe you have deleted frequently persists longer than expected, whether in iCloud, a notification cache, or a platform’s infrastructure. This applies beyond iMessage. Years of posts, messages, photos, and comments across social platforms contribute to a digital footprint that can resurface in ways you did not anticipate.

Apple’s data handling practices operate more similarly to its competitors than its marketing implies. Privacy laws are evolving, but enforcement lags behind the reality of how data is retained. The most reliable protection is reducing how much persists in the first place.