Deleting a message should mean it’s gone, right? Apparently, nobody told the iPhone’s notification database about that.
On April 22, 2026, Apple released a security update for iPhones and iPads, quietly patching a bug that allowed law enforcement, including the FBI, to recover messages that users thought they had deleted.
How did deleted messages end up being recoverable?
The reason: how iOS handled notification caching. When a message arrived, iOS triggered a notification, logging the content of the message into a database that was stored locally on the device (and stayed there for up to a month).
Even if the original message was deleted inside the app, it stayed in this database. Call it a loophole or a bug, but it also affected disappearing messages, too, which are designed specifically for users who’re more conscious about their privacy.
According to a report by TechCrunch (citing 404 Media), FBI investigators have been able to pull deleted Signal messages from an iPhone using forensic tools, messages that appeared in the notifications and were stored in the notification database. They survived long after deletion from the app itself.
In theory, the issue could have affected messages from other apps, too, as they also show up as notifications on an iPhone.
Who called Apple out?
It was none other than the Signal president, Meredith Whittaker, who publicly called Apple out on the issue, stating that notifications for deleted messages should not remain in any operating system database.
Apple’s security notice has confirmed that “notifications marked for deletion could be unexpectedly retained on the device,” describing it as a significant issue rather than an error.
For now, the security patch is live for devices running the current iOS 26 and backported to users still on iOS 18. Apple, though, hasn’t explained why the issue, stemming from operating system-level caching behavior, existed in the first place.
