The information leak is not due to a hacking attack, but rather through the Strava's own Global Heat Map, which displays the location of activities of its millions of users over a more than two-year period.
The Global Heat Map Of Strava
The Global Heat Map of Strava, which can be freely accessed online, utilizes satellite information to illuminate areas around the world where the app was used from 2015 to September 2017.
A quick look at the map shows heavily illuminated areas in North America and Europe, where fitness tracker devices installed with Strava are heavily used. However, in war-torn countries such as Iraq and Syria, the heat map is almost completely dark, save for specific areas of activity.
Taking a close look at these areas, users will see that some of them are known U.S. military bases. However, some areas are unknown locations, which probably mean that they are secret outposts where American soldiers and other military personnel operate. By using Strava in these secret military bases, the app just gave away their locations.
What Else Did The Strava Global Heat Map Reveal?
The security implication of the Global Heat Map, which was uploaded in November 2017, was publicized by 20-year-old Australian international security student and Institute for United Conflict Analysts founding member Nathan Ruser. He said that he took a closer look at the map after a snide comment by his father that it showed "where rich white people are" around the world.
Ruser zoomed in on Syria, and discovered where the U.S. soldiers were knowingly and secretly located. As he tweeted about discovery, other users started chiming in with their own findings. For example, Daily Beast journalist Adam Rawnsley spotted jogging activity in a beach that is near a supposed CIA base in Somalia's Mogadishu, New Yorker journalist Ben Taub found where U.S. Special Operations bases were located in Africa's Sahel region, and a Twitter user claimed that he discovered a Patriot missile system site in Yemen.
Strava, Apparently A Threat To Military Operations Security
In a tweet by Ruser, he said that Strava's Global Heat Map "looks very pretty, but not amazing for Op-Sec," referring to the operational security of the U.S. military. Who knew that a fitness tracker app would be the one to reveal the locations of secret facilities?
In a follow-up tweet, Ruser said that the online map allowed him to identify regular jogging routes for military personnel. This is bad news for security, as it establishes reliable "pattern of life" information that would otherwise be unavailable to the rest of the world.