In June 2014, Strava, which offers cycling and running tracking apps for multiple fitness platforms, claimed to be tracking over 1 million activities per week across the globe. In the next couple of years, the GPS tracking startup managed to capture 1 billion activities, 3 trillion lat-long points, and 5% of all land on Earth covered by tiles. Strava naturally wanted to showcase the reach of its huge user community. And that it did by populating its interactive global heat map with a total recorded activity duration of 200,000 years — a sample of which you can see below:

But the activity, which was only meant to visualize Strava’s global network of athletes, turned into a headache for security agencies around the world last weekend when a sharp-eyed Twitter user pointed out that the map gave out locations and activities of soldiers at military bases throughout the world.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

To be clear, the map, which was published online in November 2017, doesn’t give out any live data. While a total of 3 trillion GPS points had been uploaded to Strava till September 2017, the global heat map only shows the aggregate of all publically-shared logs for running speeds that are not higher than reasonable (bike rides, cars, and planes are filtered out).

If a soldier wanted to keep his/her activities private, Strava provides an enhanced privacy mode for that. The tracker also has options that let people hide the places where they live or work; a user can set up a privacy zone between 200m-1km around chosen addresses.

With a single click, users can also opt-out of contributing anonymized public activity data that the heat map is made up of — though that single click would need to be made on the Web version of the service because the privacy controls on the mobile app are not all-inclusive. But the thing is, that option is not checked by default, and most people don’t seem to be aware of the privacy options available to them, either on the Web or on the mobile.

Related: Strava’s visualization maps speed of thousands rides and runs

The result is that the fitness routes of soldiers in sensitive locations are now discoverable with a few zoom-ins. Even secret military bases and installations in combat zones can be picked out from this data.

This is because while the map is lit up with activity in the United States and Europe, forward operating bases stand out as isolated hotspots in countries like Afghanistan, Syria, and Yemen, where the fitness tracker does not have too many users.

If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2

— Nathan Ruser (@Nrg8000) January 27, 2018

As this discovery became viral, US Army’s Central Command press office in Kuwait released a statement to the Washington Post, detailing how the military is refining the privacy rules that apply to fitness trackers and pushing for enforcement of the current regulations governing such devices.

“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection,” the statement said. “The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities.”

While we are all for open data and its numerous valuable implications, this incident is just a reminder that users need to be mindful of what kind of information they are sharing with the world.