20 Biggest OPSEC Failures in Military History

Germany sent a coded diplomatic telegram to Mexico proposing a military alliance against the United States — offering Texas, New Mexico, and Arizona as incentives. British intelligence intercepted and decrypted it. The message was sent via a cable that Germany had been given permission to use for diplomatic communications, meaning they literally broadcast their war plans through enemy infrastructure.

US Navy cryptanalysts at Station HYPO cracked Japan's JN-25 naval code and discovered the target of Japan's next major offensive was "AF." To confirm AF meant Midway, they had Midway send a fake uncoded message about a water purification problem. Japan's encrypted traffic soon reported AF had a water shortage. The code was broken, and the ambush was set.

Over the course of WWII, the Allies captured multiple Enigma machines and code books from German U-boats, weather ships, and captured vessels. The seizure of U-110 in 1941 gave Bletchley Park the materials to crack Naval Enigma, while the capture of U-559's short weather signal codebooks in 1942 broke the upgraded four-rotor Enigma (Shark) that had blinded Allied intelligence for months.

Edward Snowden, an NSA contractor working for Booz Allen Hamilton, walked out of an NSA facility in Hawaii with approximately 1.5 million classified documents on thumb drives. He had system administrator access that allowed him to access files far beyond his clearance level. The NSA's internal monitoring systems failed to detect the largest intelligence breach in American history.

Army intelligence analyst Chelsea Manning downloaded approximately 750,000 classified military and diplomatic documents from the Secret Internet Protocol Router Network (SIPRNet) and leaked them to WikiLeaks. Manning used a Lady Gaga CD case to smuggle out data from a SCIF. The classified network had virtually no data loss prevention controls.

Strava published its Global Heatmap showing the aggregated GPS activity of 27 million users. In populated areas, it was data art. In Afghanistan, Syria, Somalia, and other conflict zones, it lit up secret forward operating bases, black sites, and patrol routes in brilliant neon on an otherwise dark map. Classified bases that did not officially exist became visible to anyone with a web browser.

The CIA spent years tracking Abu Ahmed al-Kuwaiti, a courier they believed was in contact with Osama bin Laden. Al-Kuwaiti used a cell phone that the NSA was able to track to a compound in Abbottabad, Pakistan. Despite al-Qaeda's strict communications security, the courier's pattern of life — including his phone usage and driving routes — created a trail that led directly to the most wanted man in the world.

During WWII, careless talk by military personnel and civilians leaked shipping schedules, convoy routes, and troop movements. Bars near military ports were prime intelligence-gathering locations for Axis agents. A congressman publicly revealed that Japanese depth charges were set too shallow — directly compromising a tactical advantage that was saving American submarines.

Russian soldiers uploaded running and cycling routes to Strava from military bases, staging areas, and forward positions before and during the invasion of Ukraine. OSINT analysts used the GPS data to track unit movements, verify intelligence about the Russian buildup, and identify individual service members. Some profiles included real names and unit affiliations.

Jack Teixeira, a 21-year-old Massachusetts Air National Guard member, leaked hundreds of pages of highly classified intelligence documents on a Discord gaming server to impress his online friends. The documents included assessments of the Ukraine war, intelligence on allied nations, and signals intelligence capabilities. He photographed classified documents and posted them to a server with about two dozen members.

Elyesa Bazna, a valet to the British Ambassador in Ankara, Turkey, photographed top-secret documents from the ambassador's safe using a Leica camera while the ambassador was sleeping. Codenamed "Cicero" by German intelligence, Bazna sold the photographs — including plans for the D-Day invasion — to the Germans for 300,000 pounds (paid in counterfeit bills).

Researchers from Bellingcat and De Correspondent demonstrated that Polar Flow — a fitness app competing with Strava — was even worse for OPSEC. Its API allowed anyone to pull the complete exercise history of any user, including precise GPS locations. They identified military and intelligence personnel exercising near the NSA, MI6, the French DGSE, Guantanamo Bay, and nuclear weapons storage facilities.

John Walker, a US Navy Chief Warrant Officer and communications specialist, sold cryptographic key material and classified documents to the Soviet Union for 17 years (1968–1985). Walker recruited his son, his brother, and a friend into the spy ring. The Soviets could decrypt over one million encrypted Navy messages, including submarine movements and nuclear war plans.

A sailor aboard the French aircraft carrier Charles de Gaulle posted a jog on Strava while the ship was at sea. The carrier's exact GPS coordinates appeared on the public activity map. A nuclear-powered aircraft carrier — one of the most strategically valuable military assets on Earth — had its position broadcast to anyone with a web browser because someone wanted to log their 5K.

Strava activities uploaded by US Secret Service agents revealed their movements and locations, including details about presidential security perimeters. Agents' running routes near the White House and at travel locations showed protective detail patterns, advance team movements, and security staging areas. Their profiles were publicly visible.

The US had broken Japan's diplomatic cipher (PURPLE) and intercepted messages indicating Japan was preparing for war. However, intelligence was compartmentalized, warnings were not properly disseminated, and the local commanders at Pearl Harbor were not given the context they needed. A radar operator who detected the incoming Japanese attack was told to ignore it.

French soldiers deployed in the Sahel region of Africa uploaded patrol routes to Strava. The GPS traces showed exact paths, timing, frequency, and rest points of military patrols in active conflict zones where French forces were fighting jihadist insurgents. Anyone monitoring these routes could predict patrol schedules.

North Korea captured the USS Pueblo, a US Navy intelligence-gathering ship, in international waters. The crew failed to destroy classified documents and cryptographic equipment before capture. The ship carried NSA code machines, encryption keys, and thousands of classified documents that were seized intact by North Korean forces.

WikiLeaks published "Vault 7," a collection of 8,761 documents detailing the CIA's cyber weapons and hacking capabilities. The leak revealed tools for compromising smartphones, smart TVs, vehicles, and encrypted messaging apps. The documents came from a CIA network that hundreds of contractors and employees could access with minimal oversight.

A group calling itself the Shadow Brokers leaked a cache of NSA hacking tools and exploits, including EternalBlue — a Windows exploit that targeted the SMB protocol. The tools were stolen from the NSA's Tailored Access Operations unit, the agency's elite hacking division. The exact method of exfiltration remains disputed.