Military personnel around the world have been publicly sharing their exercise routes online – including those inside or near military bases.
Online fitness tracker Strava has published a “heatmap” showing the paths its users log as they run or cycle.
It appears to show the structure of foreign military bases in countries like Syria and Afghanistan, as soldiers move around inside.
The US military is examining the heatmap, a spokesman said.
Air Force Colonel John Thomas, a spokesman for US Central Command, told the Washington Post that the US military was reviewing the implications.
Strava said it had excluded activities marked as private from the map.
Users who record their exercise data on Strava have the option of making their movements public or private. Private data, the company said, has never been included.
The appearance of military bases on the heatmap suggests that large numbers of military personnel across the globe have been publicly sharing their location data.
The latest version of the map was released in November 2017, but the implications for service personnel were only raised over the weekend.
Nathan Ruser, an Australian university student who first highlighted the issue, said he came across the map while browsing a cartography blog last week.
The location of military bases is generally well-known, both from local knowledge and pre-existing satellite imaging tools like Google Earth.
Furthermore, concerns about Strava’s heatmap are mainly centred around the fact that it displays the level of activity – shown as more intense light – and the movement of personnel inside the walls.
It also appears that location data has been tracked in the area outside bases – which may show commonly-used exercise routes or patrolled roads.
Mr Ruser, 20, said he was shocked by how much detail he could see. “You can establish a pattern of life,” he said.
The settings available in Strava’s app also allow users to explicitly opt out of data collection for the heatmap – even for activities not marked as private – or to set up “privacy zones” in certain locations.
However there are now concerns around the security of the collected data, and the possibility for it to identify individual users.
Mr Ruser, who is studying international security at the Australian National University, said anyone could have spotted the information.
“I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed,” he said.
“Someone would have noticed it at some point. I just happened to be the person who made the connection.”