An investigation by NIF grantee FakeReporter has uncovered a breach in the Strava app, an app for tracking physical activity and exercise. The breach exposed dozens of Israeli security personnel and soldiers at sensitive intelligence and air force bases.

The information gathered included their full identities, places they had visited abroad, the addresses of their homes, and details about other family members.

According to FakeReporter, the breach was the result of confusing privacy settings combined with negligence on the part of the app’s security personnel. Since Fake Reporter exposed the breach, the company has set up a special team to deal with it.

According to FakeReporter, the breach was systematically exploited by at least one person, who operates under the nickname Ez Shl. As a user of the app, his activity data were suspicious: he “ran” in security-sensitive areas, the GPS paths he took are unreasonably straight, and do not have realistic times associated with them.

“Users are unaware of the information they disclose online,” FakeReporter CEO Achiya Schatz told Israeli newspaper Calcalist, “The reality is that with the click of a button, an app can become a weapon. We all pay a price for it, but for security personnel it may be a matter of life and death or a matter of national security. [FakeReporter] offers an effective way out of this bind, both by raising awareness to the broader public that these dangers exist and by strengthening their critical eye.”