Every Time Strava Exposed Military Positions

Strava releases its Global Heatmap — a visualization of every activity ever uploaded. In cities, it looks like a cool data art project. In Afghanistan, Syria, and Somalia? Classified intelligence disaster. Soldiers running laps around secret forward operating bases literally drew the outlines on the map. Bases that didn't officially exist were right there for anyone with a browser. Just... right there.

The heatmap was just the beginning. Researchers cross-referenced Strava usernames, routes, and public profiles at exposed base locations to identify individual soldiers. Some profiles had real names, photos, duty stations, and home addresses. You could go from a dot on the heatmap to a service member's Facebook page in like three clicks. Three clicks.

Researchers from Bellingcat and De Correspondent showed that Polar Flow was actually worse than Strava. Its API let anyone pull the complete exercise history of any user, locations included. They found military and intelligence personnel exercising near the NSA, MI6, DGSE, Guantánamo Bay, and nuclear weapons storage facilities. You could track individual agents from their workplace to their homes. From the gym to the living room.

French soldiers deployed in the Sahel uploaded patrol routes to Strava. GPS traces showed exact paths, timing, frequency, and rest points of military patrols in active conflict zones. Anyone watching could predict patrol schedules and plan ambush points. Just sitting at a laptop.

Before and during Russia's invasion of Ukraine, Strava data gave away Russian military positions. Running and cycling routes near installations showed troop concentrations, staging areas, and base layouts. OSINT analysts tracked unit movements and verified intelligence reports about the Russian buildup before anyone officially acknowledged it was happening.

Secret Service agents — the people guarding the President — had been uploading runs to Strava. Public profiles. Their routes near the White House and at travel locations revealed protective detail patterns, advance team movements, and staging areas. All visible to anyone. Anyone.

Stanislav Rzhitsky, a Russian submarine commander who'd ordered cruise missile strikes on Ukraine, was shot and killed while jogging in Krasnodar, Russia. He ran the same route at the same time every day. His Strava profile was public. Pace, schedule, exact GPS route — all of it, right there. He was killed on his habitual morning run.

A sailor aboard the French aircraft carrier Charles de Gaulle posted a jog on Strava while the ship was at sea. The carrier's exact GPS coordinates showed up on the public activity map. A nuclear-powered aircraft carrier. Position broadcast to the entire world. Because someone wanted to log a 5K. I can't.