Fitness trackers have made working out so much more fun … unless, that is, you are a member of the military, in which case, your fitness tracking might be revealing super sensitive information.

In November, Strava, the maker of a fitness tracking service that uses GPS to record and map your fitness activity, released an updated global heat map that aggregates over 1 billion activities from 27 million users, including popular fitness tracking devices like Jawbone and Fitbit.

The heat map’s implications for military and national security first gained attention on Saturday, when a 20-year-old Australian student, Nathan Ruser, tweeted about the U.S. military’s clearly identifiable bases on the heat map — including in places where military operations have not been acknowledged.

20-year-old Australian student Nathan Ruser was the first to publicize the implications of Strava's heat map. 

After Ruser shared his findings on Twitter, defense analysts have been adding their own finds, like a secret base in Niger, Africa, discovered by Ben Taub, a journalist with the New Yorker: “Secret military base near Arlit, Niger, revealed as a white dot in a sea of black, because Western soldiers didn’t turn off their Fitbits.”

The heat map does not just reveal American military installations. Zooming in to Syria, for example, shows a Russian installation, Khmeimim Air Base, which was attacked by drones earlier this month.

It's not just U.S. military installations that are mapped. 

Most of the military bases on the map are publicly known — or suspected. But Tobias Schneider, an international security analyst, tells the Washington Post that the heat map is useful for anyone who is looking to gain intelligence. “This is a clear security threat. You can see a pattern of life. You can see where a person who lives on a compound runs down a street to exercise. In one of the U.S. bases at Tanf, you can see people running round in circles.”

This information can then be combined with other publicly available information to determine areas where military members congregate in high numbers, such as cafeterias or living quarters, or the outlines of buildings and bases — all of which would be useful for someone planning out an attack.

In response to this information, a military spokesperson, Air Force Col. John Thomas, says that the U.S. military is currently looking into the map’s implications, as the Washington Post reports.

This isn’t the first time that social media and military “operational security” — or opsec — have come into conflict.

In 2016, the U.S. military banned service members from playing Pokémon Go on official government devices, though this seems to have been more a result of general safety and common sense than fears about opsec, since certain bases — like Army base Fort Carson in Colorado — also put out reminders not to run into flight lines.

Meanwhile, in 2007, insurgents in Iraq were apparently able to destroy four AH-64 Apache helicopters based on photos posted by service members online and the geotagged information that they contained.

But previous bans on social media have tended to focus on the impact of an individual’s social sharing, and the Strava heat map is an example of what data can reveal — in aggregate. While the Pentagon has yet to respond to these findings, you can do your own sleuthing on Strava’s map here.