Deauthorization Bug in messenger application – How serious is this?

My question refers to a behavior on a production system with several million chat users.

Some time ago I changed my account password and removed all devices connected to my account. The next day I noticed that during the night I still received all messages addressed to me by push notification on my mobile phone. Then I tried the same thing with another account and an emulated Android phone and ended up with the same results.

The app requires login data, but all private messages are still delivered to my deauthorized phone via push notifications. The deuathorized devices no longer appear on the account page as connected devices.

After about a week of trying to explain to the support team what my problem is, it was finally taken more seriously.
However, they can’ t tell me what devices are connected to my account and who is able to read my messages right now. I was simply told that no suspicious behavior was noted.

I have been spying on my own messages from my mobile phone for over 14 days now.

Question 1: Do you have any idea what kind of problem this is and and how hard it is to write a fix for it?

Question 2: Could this situation possibly be applied to accounts that were never connected to the mobile phone?

Question 3: Who, apart from support, can I contact and how long should I wait until i approach someone else? I have already been informed that they might not get back to me.