A heatmap of GPS data recorded by Strava, a mobile app which allows users to track their jogging routes, shows activity in and around military bases, suggesting users are servicemen and women on active duty.
And people who create a free account can find other users who regularly use certain routes, potentially alerting terrorists or foreign powers to soldiers on active duty.
Potentially sensitive locations in the UK include the Sandhurst military academy, GCHQ and Faslane, where the navy stores its nuclear weapons.
A Strava spokesman said the heatmap “excludes activities that have been marked as private and user-defined privacy zones”. “We are committed to helping people better understand our settings to give them control over what they share,” they added.
Anyone can create an account for free and find routes, or “segments” around military bases.
The app also shows which users have publicly recorded their times on certain routes and many people on Twitter have pointed out that anyone could use such information to find other social media profiles for soldiers.
Nathan Ruser, a student from Canberra in Australia, identified what he believed was a regular jogging route for soldiers in Afghanistan.
“Hopefully it’s a learning experience for the different military communities and they can toe that line between convenience and security,” he told the Sydney Morning Herald.
Others identified a US base in Nigeria and app users at Bagram air base in Iraq.
Writing for the website The Daily Beast, international security expert Jeffrey Lewis showed how anyone could identify users at a military base in Taiwan and potentially find other bases as a result.
“If our user casually jogging by Taiwanese missiles day after day suddenly appears deployed to a new location, well that’s very interesting if you are targeting missiles for China’s Rocket Force,” he wrote.
Users are able to make their data private, but Mr Lewis also raised concerns about whether data which has been set to private could be hacked.
Strava published a major update to the heatmap in November 2017, including “six times more data than before”, but investigators only spotted the security breach at the weekend.