The app allows people to track their workouts and share (and compare) them online via in-depth data visualisation maps that record your distance, pace, location and time of workout.

A report from FakeReporter, a website published by Israeli cybersecurity researchers, showed how malicious attempts had been made to mine information about Israeli defence personnel.

Users, despite some having the most stringent privacy settings, had their names and recent running routes exposed after a fake account exploited the app’s Segments feature, which allows users create their own public group challenges.

In this case, the fake user reportedly uploaded fake running data near suspected military bases.

“The fake user was able to use this breach to learn more about the bases and about the personnel and agents there, many from Israel’s top security forces,” Executive director at FakeReporter Achiya Schatz said.

The report estimates personal information from up to 100 soldiers had been compromised across six bases.

FakeReporter reported it was able to quickly find more personal details about the Israeli soldiers via the app, including names of family members, their travel history and in some cases, their home address.

The San Francisco-based business recently published a blog post encouraging users to review their privacy settings, announcing it would be looking over “features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent.”

And it’s not the first time the app’s features have presented a security risk for military. In 2018, analysts raised the alarm for the potential security risks in providing a world heat map, which showed the location of a number of sensitive locations.

In sparse locations like Afghanistan and Syria, the users of Strava appear to be almost exclusively foreign military personnel.

As a result, the military bases stand out brightly against the dark backdrop of these Middle Eastern countries, exposing potentially sensitive sites.

Nathan Ruser, an analyst with the Institute for United Conflict Analysts, previously pointed out that while Strava’s “maps look pretty,” they included US military bases which were “clearly identifiable and mappable”.

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” he said.

Strava addressed the FakeReporter findings in a statement, claiming it has begun taking the “necessary steps” to fix the flaw.

“We take matters of privacy very seriously and have been made aware by an Israeli group, FakeReporter, of a segment issue regarding a specific user account and have taken the necessary steps to remedy this situation,” the company said.