Military personnel around the world have been publicly sharing their exercise routes online – including those inside or near military bases.
Online fitness tracker Strava has published a “heatmap” showing the paths its users log as they run or cycle.
It appears to show the structure of foreign military bases in countries like Syria and Afghanistan, as soldiers move around inside.
The US military is examining the heatmap, a spokesman said.
Air Force Colonel John Thomas, a spokesman for US Central Command, told the Washington Post that the US military was reviewing the implications.
Strava said it had excluded activities marked as private from the map.
Users who record their exercise data on Strava have the option of making their movements public or private. Private data, the company said, has never been included.
The appearance of military bases on the heatmap suggests that large numbers of military personnel across the globe have been publicly sharing their location data.
The latest version of the map was released in November 2017, but the implications for service personnel were only raised over the weekend.
Nathan Ruser, an Australian university student who first highlighted the issue, said he came across the map while browsing a cartography blog last week.
“I just looked at it and thought, ‘oh hell, this should not be here – this is not good,'” he told the BBC.
The location of military bases is generally well-known, both from local knowledge and pre-existing satellite imaging tools like Google Earth.
Furthermore, concerns about Strava’s heatmap are mainly centred around the fact that it displays the level of activity – shown as more intense light – and the movement of personnel inside the walls.
It also appears that location data has been tracked in the area outside bases – which may show commonly-used exercise routes or patrolled roads.
Mr Ruser, 20, said he was shocked by how much detail he could see. “You can establish a pattern of life,” he said.
The app is far more popular in the West than elsewhere – which means foreign military bases stand out as isolated “hotspots” in the Middle East.
Other easily identifiable bases include those used by the US in Syria and Iraq, an RAF base in the Falklands, and one used by French forces in Niger.
Millions of users track their location data with Strava while exercising, often using a fitness tracker worn on the wrist or a smartphone to automatically upload their location as they jog or cycle.
In an engineering blog post from November, Strava said the newest version of the map was built from one billion activities – some three trillion points of data, covering 27 billion km (17bn miles) of distance run, jogged, or swum.
Strava released a brief statement highlighting that the data used had been anonymised, and “excludes activities that have been marked as private and user-defined privacy zones.”
“We are committed to helping people better understand our settings to give them control over what they share,” it said.
The settings available in Strava’s app also allow users to explicitly opt out of data collection for the heatmap – even for activities not marked as private – or to set up “privacy zones” in certain locations.
However there are now concerns around the security of the collected data, and the possibility for it to identify individual users.
Mr Ruser, who is studying international security at the Australian National University, said anyone could have spotted the information.
“I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed,” he said.
“Someone would have noticed it at some point. I just happened to be the person who made the connection.”