Strava, a fitness tracking application that logs users' movements as they cycle, surf, or jog, has accidentally exposed or confirmed the location of various military bases and facilities all over the world.

The so-called leak is not an accident, but something intentional. Last November [1, 2], Strava published an interactive map with over 13 trillion GPS points from all its users. The map was meant to impress potential users regarding the large number of people around the globe that were already using the app to track their fitness sessions.

Instead, over the past weekend, this interactive map turned into an intelligence gathering ground after Nathan Ruser, an analyst with the Institute for United Conflict Analysts, noticed how the map also highlighted military bases, which sometimes stood out as hotspots of intense fitness activity in the middle of remote areas.

Since Ruser's first discovery, social media has been ablaze with this subject, with countless of military, political, and privacy experts combing the Strava map for new bases or to confirm rumors of older military facilities.

Everybody got the treatment, not just the US and Russia. New bases were discovered or confirmed for North Korea, China, Turkey, Iran, Australia, the UK, and others.

Some experts also argue that these routes may not include just exercise tracks and fields only, and may even show patrol routes for military users who forgot to turn off the app. If true, exposing patrol routes could have far more dangerous consequences for the safety of those individuals.

Users failed to set up privacy zones

This massive leak of military intel happened because military personnel turned on their Strava app to work out while at bases.

The app allows users to set up so-called "privacy zones," rectangular areas where the app automatically turns off and doesn't collect GPS info. These zones can be placed over the user's home or work locations to safeguard personal data.

Because these zones are unique to each user, they need to be set up before using the app. The problem is that very few users know of them, as the app doesn't prompt users about it during the onboarding process.

"A lot of people are going to have to sit thru lectures come Monday morning," said Tobias Schneider, a Middle East political analyst.

But this intense prodding over the weekend has unearthed other problems as well. Privacy experts have also warned Strava that by listing top performers for popular tracks or segments, an attacker could infer a user's exercise routes based on known usernames.

The Strava app got the attention it was seeking last November, but just not the one it was expecting.