📡
Every Time Strava Exposed Military Positions
Soldiers went for a jog. The entire world found out where they were stationed.
A complete timeline of fitness tracker OPSEC disasters.
By The Numbers
120M+
Strava Users
Worldwide, uploading GPS data every day.
8B+
Activities Uploaded
Every run, ride, and swim — with full GPS traces.
7+
Major Military Exposures
That we know about. The real number is certainly higher.
0
Times Truly Fixed
New defaults, new policies, same fundamental problem.
The Timeline
The Heatmap That Lit Up Secret Bases
January 2018Strava released its Global Heatmap — a visualization of every activity ever uploaded by its users. In major cities, it was a beautiful data art project. In Afghanistan, Syria, and Somalia, it was a classified intelligence disaster. Soldiers running laps around secret forward operating bases lit them up like Christmas trees on a dark map. Bases that didn’t officially exist were suddenly outlined in neon by jogging routes.
Consequence: The Pentagon scrambled to issue new fitness tracker policies. The DoD banned GPS-enabled devices in deployed environments. Every branch of the military rewrote their electronic device regulations.
Individual Soldiers Identified at Secret Bases
2018Researchers quickly realized the heatmap was just the beginning. By cross-referencing Strava usernames, running routes, and public profiles at the now-exposed base locations, they could identify individual soldiers stationed at classified facilities. Some profiles included real names, photos, duty stations, and home addresses. A few clicks could take you from a glowing dot on a heatmap to a service member’s Facebook page.
Consequence: Strava updated privacy defaults, but the damage was done. Years of historical data had already been scraped and archived by OSINT researchers and presumably by foreign intelligence agencies.
Polar Flow Exposes Intelligence Personnel
2019Researchers from Bellingcat and De Correspondent demonstrated that Polar Flow — a competing fitness app — was even worse than Strava. Its API allowed anyone to pull the complete exercise history of any user, including locations. They identified military and intelligence personnel exercising near the NSA, MI6, the French DGSE, Guantánamo Bay, and nuclear weapons storage facilities. Individual agents could be tracked from their workplace to their homes.
Consequence: Polar suspended its Explore feature. Multiple intelligence agencies launched internal reviews. The incident proved the problem wasn’t just Strava — it was every fitness platform with GPS.
French Sahel Patrol Routes Exposed
2020French soldiers deployed in the Sahel region of Africa were found to have uploaded patrol routes to Strava. The GPS traces showed exact paths, timing, frequency, and rest points of military patrols in active conflict zones. Anyone monitoring these routes could predict patrol schedules and identify optimal ambush points.
Consequence: The French military reinforced its operational security directives. The incident highlighted that even after the 2018 scandal, soldiers were still uploading activities in combat zones.
Russian Troop Positions Revealed in Ukraine
2022In the lead-up to and during Russia’s invasion of Ukraine, Strava data revealed Russian military positions. Soldiers’ running and cycling routes near military installations showed troop concentrations, staging areas, and base layouts. OSINT analysts used the data to track unit movements and verify intelligence reports about the Russian buildup before the invasion was officially acknowledged.
Consequence: The incident became a case study in open-source intelligence. Strava data was combined with satellite imagery and social media posts to create a real-time picture of the invasion that rivaled classified intelligence products.
US Secret Service Agents Exposed
2023Strava activities uploaded by US Secret Service agents revealed their movements and locations, including details about presidential security perimeters. Agents’ running routes near the White House and at travel locations showed protective detail patterns, advance team movements, and security staging areas. Their profiles were public.
Consequence: The Secret Service issued new personal device policies. Security researchers pointed out that any adversary could use the data to study protective detail patterns and identify individual agents for targeting or recruitment.
French Aircraft Carrier Position Broadcast
March 2026A sailor aboard the French aircraft carrier Charles de Gaulle posted a jog on Strava while the ship was at sea. The carrier’s exact GPS coordinates appeared on the public activity map. A nuclear-powered aircraft carrier — one of the most strategically valuable and heavily defended military assets on Earth — had its position broadcast to anyone with a web browser because someone wanted to log their 5K.
Consequence: The French Navy launched an investigation. Eight years after the original heatmap scandal, the same fundamental problem remained completely unsolved. A €3 billion warship, defeated by a free fitness app.
How Fitness Trackers Leak
Four layers of failure, stacked on top of each other.
GPS by Default
Fitness apps record your precise GPS coordinates every second. Most users never change the default settings. The app knows exactly where you are, where you go, and how often.
Public Profiles
Strava and similar apps default to public or semi-public profiles. Your activities, routes, and sometimes your real name and photo are visible to anyone. Even "private" profiles often leak location data through segments and leaderboards.
Heatmap Aggregation
Strava’s Global Heatmap aggregates all user activity into a single visualization. In populated areas, individual routes are lost in the noise. In remote or classified locations, a single jogger’s route stands out like a flare in the dark.
API Scraping
Fitness platforms expose APIs that allow bulk data extraction. Researchers (and adversaries) can systematically query locations, pull user profiles, and cross-reference identities. What looks like a privacy setting in the app is often a suggestion, not a wall.
Glen's Take
Every military in the world has spent billions on electronic warfare, signal intelligence, and counter-surveillance. Entire careers are dedicated to hiding the location of assets from adversaries. Satellites are repositioned. Radio frequencies are encrypted. Ships run dark across entire oceans.
Then a sailor goes for a jog and broadcasts the aircraft carrier's GPS coordinates to anyone with a browser.
The most expensive military hardware on Earth, defeated by a free fitness app and the human desire to track a 5K.
Protect Your Own OPSEC
Privacy-focused gear for people who'd rather not broadcast their location.
Frequently Asked Questions
Has Strava fixed the military base exposure problem?
Not fundamentally. Strava has added privacy zones, updated default settings, and allowed users to opt out of the heatmap. But the core issue remains: GPS-enabled fitness apps collect precise location data by design, and users — including military personnel — consistently fail to configure privacy settings. The 2026 aircraft carrier incident, eight years after the original scandal, proves the problem is unsolved.
Can the military just ban fitness trackers?
Several militaries have tried. The US DoD banned GPS-enabled devices in operational areas after the 2018 heatmap incident. But enforcement is inconsistent, personal phones still have GPS, and many service members use fitness apps during off-duty hours at or near bases. The ban reduces risk but doesn’t eliminate it — as every subsequent incident has proven.
Is Strava the only fitness app with this problem?
No. Polar Flow, Garmin Connect, Apple Health, Google Fit, and virtually every GPS-enabled fitness platform has the same fundamental vulnerability. Strava gets the most attention because of its massive user base and the heatmap feature, but the underlying issue — apps that record and share precise GPS data — is industry-wide.
Get Glen's Musings
Occasional thoughts on AI, Claude, investing, and building things. Free. No spam.
Unsubscribe anytime. I respect your inbox more than Congress respects property rights.
Know someone in the military who still has Strava on public?
Keep Exploring
Viral Internet Legends
The accidental celebrities who broke the internet.
Read moreTop 25 Sports Technology Companies
The tech reshaping how we play and watch sports.
Read moreBezos & The Rise of Robots
Amazon's plan to automate everything.
Read moreTitanic Darkness
The true horror of the world's most famous shipwreck.
Read more