Military personnel around the world have been publicly sharing their exercise routes online – including those inside or near military bases.
Online fitness tracker Strava has published a “heatmap” showing the paths its users log as they run or cycle.
It appears to show the structure of foreign military bases in countries like Syria and Afghanistan, as soldiers move around inside.
The US military is examining the heatmap, a spokesman said.
Air Force Colonel John Thomas, a spokesman for US Central Command, told the Washington Post that the US military was reviewing the implications.
Strava said it had excluded activities marked as private from the map.
Users who record their exercise data on Strava have the option of making their movements public or private. Private data, the company said, has never been included.
The appearance of military bases on the heatmap suggests that large numbers of military personnel across the globe have been publicly sharing their location data.
The latest version of the map was released in November 2017, but the implications for service personnel were only raised over the weekend.
Nathan Ruser, an Australian student who first highlighted the issue, said it “looks very pretty, but not amazing for Op-Sec [operational security].”
“US bases are clearly identifiable and mappable,” he said.
The location of military bases is generally well-known, both from local knowledge and pre-existing satellite imaging tools like Google Earth.
Concerns about Strava’s heatmap are mainly centred around the fact that it displays the level of activity – shown as more intense light – and the movement of personnel inside the walls.
It also appears that location data has been tracked in the area outside bases – which may show commonly-used exercise routes or patrolled roads.
The app far more popular in the West than elsewhere – which means foreign military bases stand out as isolated “hotspots” in the Middle East.
Bases which are easily identifiable include those used by the US in Syria and Iraq, an RAF base in the Falklands, and one used by French forces in Niger.
Millions of users track their location data with Strava while exercising, often using a fitness tracker worn on the wrist or a smartphone to automatically upload their location as they jog or cycle.
In an engineering blog post from November, Strava said the newest version of the map was built from one billion activities – some three trillion points of data, covering 27 billion km (17bn miles) of distance run, jogged, or swum.
Strava released a brief statement highlighting that the data used had been anonymised, and “excludes activities that have been marked as private and user-defined privacy zones.”
“We are committed to helping people better understand our settings to give them control over what they share,” it said.
The settings available in Strava’s app also allow users to explicitly opt out of data collection for the heatmap – even for activities not marked as private – or to set up “privacy zones” in certain locations.
On Monday morning, Mr Ruser – who first highlighted the potential problem – also issued a word of warning to those convinced they were uncovering top-secret bases.
“This is an incredible op-sec breach but you’re looking at lines on a map,” he tweeted. “It’s impossible to say more than ‘someone’s run near there’ with any certainty.”
He urged internet sleuths to “please look at the data in context”.