The flaw meant that information wiped from an iPhone or iPad’s lock screen could still be recovered from the system’s internal notification database — something digital rights groups say law enforcement had quietly taken advantage of.

The Electronic Frontier Foundation drew attention to the issue, noting that it created an unusual weak spot in Apple’s otherwise rigid approach to user privacy.

Although Apple has required a court order to hand over notification data since 2023, this loophole meant investigators could bypass that process by pulling the information directly from the device itself.

With the release of iOS 26.4.2, Apple says it has tightened the system’s handling of deleted alerts, introducing “improved data redaction” to resolve a problem where “notifications marked for deletion could be unexpectedly retained on the device.”

The patch is now rolling out across newer iPhone and iPad models, including the iPhone 11 and later generations.

The vulnerability first surfaced after 404 Media reported that the FBI had used a forensic tool to extract Signal notification data from an iPhone even after the user had removed it.

Signal CEO Meredith Whitaker addressed the concern on Bluesky, noting that “notifications for deleted [messages] shouldn't remain in any OS notification database, and we've asked Apple to address this.”

At the time, Signal urged users to limit what appears in their notifications to avoid exposing message content or sender names.

Following Apple’s fix, Signal said it was “very happy that today Apple issued a patch and a security advisory.”

According to the EFF, notification privacy can be compromised both in the cloud — where metadata may be logged — and on the device itself.

While Apple’s update should stop deleted alerts from sticking around locally, the organisation still recommends reducing how much information apps display in notifications for anyone concerned about sensitive data appearing on their screen.