Cybersecurity has been at the forefront of the defense discussion for years now, but it seems that the basic premise still eludes many working within the nation’s defense apparatus. A recent report made by the Dutch newspaper De Correspondent shows that the use of the activity tracker smartphone application “Polar” by members of the U.S. Secret Service, NSA, the U.K.’s MI6 and a host of others publicly reveals their exact movements and locations. In some instances, the app offers detailed routes of running courses in and around foreign military installations. In others, it offers up the identities and home addresses of personnel working within military and intelligence installations here at home.

The report states:

Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map.”

The application itself encourages users to link their profiles to a Facebook account, list their first and last names, and include profile pictures so they can interact and compete with other fitness enthusiasts in the area. However, from an intelligence standpoint, that’s all actionable — using a combination of social media and Google maps, it becomes fairly easy to identify individuals that work within the national defense and intelligence sectors, and use their posted workouts to find their homes or identify high traffic regions of military installations.

It wasn’t just U.S. personnel identified through the investigation. Polar’s “Polar Flow” map allows users to see where others are working out and what they’re doing — and using that same functionality, De Correspondent reporter Foeke Postma and others were able to identify and track “6,460 individuals across 69 nationalities” tied to their respective nation’s defense. Among them were ranks and occupational specialties hailing from across the board, including some tasked with manning nuclear launch facilities.

We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea.

Loose apps set traps: Running app shows military bases, movements in combat zones

Read Next: Loose apps set traps: Running app shows military bases, movements in combat zones

We also learned the names and addresses of personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases.”

Personnel from the U.S. and U.K. were joined in this embarrassment by members of Russia’s GRU and SVR RF, the DGSE in France, and the MIVD in the Netherlands.

As a result of the report, Polar has taken the “Polar Flow” map offline and issued a statement late last week emphasizing that sharing your workouts is an opt-in function, rather than an “opt-out” one. That means users need to choose to share their workout data intentionally, and according to Polar, only about two percent of their users do so — begging the question, why would personnel associated with sensitive defense initiatives decide to share their workout geography publicly, especially since a similar incident was revealed months ago tied to the fitness application Strava.

Their statement reads:

It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”

While national level governments work to hinder foreign efforts to infiltrate sensitive systems in the cyber domain, it would seem the concept still hasn’t quite trickled down to the ground level, where individuals continue to offer up sensitive data on social media and smartphone applications, seemingly unaware of the ramifications of their recreational use of these platforms.

Featured image: Runners participate in the Mulberry Island Half Marathon at Joint Base Langley-Eustis, Virginia, in September 2016. | U.S. Air Force photo by Staff Sgt. Natasha Stannard