5 times military secrets were exposed in apps

Privacy news
5 mins
App with military camouflage and an error icon in the top right corner.

Not even the military is immune to data leaks and privacy mix-ups. Sometimes it’s a leak from a third-party app, and sometimes they really should’ve just checked the privacy settings. From nuclear codes to hotel bookings, here are at least five times military information has been exposed through the apps they use.

1. Flashcards exposed nuclear weapons secrets

In May 2021, a Bellingcat report found publicly visible flashcards from various flashcard apps like Chegg, Quizlet, and Cram with “a multitude of sensitive security protocols about U.S. nuclear weapons.” Seventy flashcards on Chegg noted the shelters containing the weapons.

Two flashcards created on Chegg in 2019. The numbers refer to the protective aircraft shelter which the vault is in. The last two digits were censored by Bellingcat. (Source: Bellingcat)

The cards, made public by default, could further be used to track the exact location of the shelters, including ones storing loaded weapons. You could even see how recently revised they were:

A note showing when a flashcard posted by a U.S. soldier was last studied. (Source: Bellingcat)

Worse still, some of the flashcards “had been publicly visible online as far back as 2013.” The report says that “all of the sets highlighted by Bellingcat appeared to have been taken offline shortly before publication,” but there could well be more flashcards that weren’t found on these apps.

2. Military bases exposed by Strava

In 2018, a 20-year-old Australian university student found that Strava, a social fitness app, also kept track of exercise routes of military personnel in bases around the world.

Strava creates heat maps showing paths its users log whenever they run, cycle, or swim. In this case, the heat map also indicated how frequently the routes were taken by soldiers, which is as close to actionable intel as you can get.

These heat maps showed structures of foreign military bases in multiple countries, including Syria and Afghanistan, where soldiers regularly moved around. Strava has since changed their policy so that only registered users can see its heat map function, and information marked private will be deleted monthly.

3. Homes of soldiers and spies revealed on Polar Flow

Also in 2018, another fitness app, Polar Flow, went even further, showing the location data of home addresses of intelligence officers, including for profiles set to private.

In a joint investigation by Dutch news site De Correspondent and Bellingcat, researchers found that Polar Flow not only exposed running routes and exercises carried out on military bases but also their likely homes too.

Individual run locations could even be seen on pixelated maps of high-security areas.

Secretive locations are blurred by Google on satellite imagery, but Polar Flow revealed the individuals exercising there. (Source: Bellingcat)

While Polar Flow isn’t the only app tracking locations like this (see Strava), it goes a step further than its competitors by showing all the exercises a user has done since 2014 on a single world map. Polar Flow also made it astonishingly easy for the researchers to scrape its site for information on the nearly 6,500 users they focused on. All it required was a modified web address.

Among the users, researchers found the names of officers and agents at foreign intelligence services in the UK, U.S., France, and Russia, as well as staff at nuclear storage facilities. Shortly before publication, Polar Flow took its maps offline.

Read more: How private are your fitness apps? 5 tips to keep them secure

4. A hotel app leaked bookings by military and DHS personnel

In 2019, a vpnMentor team found a breach in Autoclerk—a reservations management system owned by Best Western Hotels and Resorts Group—that exposed a 179 GB database full of private information of its guests, including military and government personnel, and the Department of Homeland Security. This was possible because a contractor used by the military to book hotels used Autoclerk to manage bookings.

Among the exposed details were the names, addresses, phone numbers, and travel arrangements both past and present of hundreds of thousands of guests in the U.S. and around the world. Researchers at vpnMentor were able to view logs “for U.S. army generals traveling to Moscow, Tel Aviv, and many more destinations.” Details like room numbers and check-in times also became viewable on the database, which is incredibly valuable information for anyone looking for a specific person’s location. The database was eventually taken down.

5. A beer app showed movements of military and intelligence personnel

A rather novel social media app to rate beers around the world, Untappd lets users post pictures of the beers they drink, and tag the location where they drank the beer.

Unlike the fitness apps above, Untappd actually has decent privacy settings, letting users set location to “private,” with which they have to manually indicate the places they’ve been to. If you wanted to add your own home, you’d have to be a registered user. When it comes to data security, Untappd empowers its users.

Which makes this discovery particularly remarkable—another Bellingcat report in 2020 found members of the military checking into bases (and even a secret CIA base) with pictures of beer, some of which had shots of government ID cards, documents, and military hardware that should definitely not be public.

A picture of debit and ID card, and post-its at a desktop, posted on Untappd. (Source: Bellingcat)
Pictures of documents on military matters, clearly not meant for public consumption, posted on Untappd. (Source: Bellingcat)

Here, users have consciously added these pictures to Untappd and checked in to locations they’ve visited. This application has provided internet researchers and rival intelligence agencies alike valuable information about the users who are employed by the military.

You can try searching for military bases on the Untappd website: As of writing this article, you can still see patrons at U.S. bases like Fort Detrick and Camp Peary, although they haven’t had new check-ins since the report came out.

In the military? Think before you download or share

It is not news that apps access and collect a whole trove of data, from your personal information and real-time location to your photos and biometrics.

And unless you fully comb through the privacy policy and settings of every app you use, it’s possible that this information is going into the hands of someone else, and made visible to the public.

That is even more reason to check the apps you use on a regular basis—regardless of whether you’re in the military. Privacy labels on App Store apps can aid your decision, and configuring your privacy settings after downloading the app can help, but nothing substitutes simply not sharing that information at all.

Read more: How to make your photos more private on social media

Ceinwen focused on digital privacy, censorship, and surveillance, and has interviewed leading figures in tech.