Image|Scott Webb, via pixabay

Strava Vulnerability Reveals Israeli Security Staff Run Locations

A vulnerability in STRAVA security has been used by researchers at FakeReporter.net to obtain the details of approximately 100 Israeli Security Staff at the Palmahin Air Force Base & Space Port, Moshav Ora Intelligence base and at 4 other locations in Israel.

Source: twitter.com/FakeReporter

Readers might remember a similar story in 2018 that allowed the discovery of ‘secret’ US military bases in Syria using Strava’s heatmaps. Update: 20 March 2026 and Strava data exposes the position of the French aircraft carrier near Cyprus during wartime.

How Strava Works

Smartphones and sport watches record the GPS route of Strava users’ workouts and the finished workouts are uploaded to the Strava cloud. Strava presents insights back to its users on their app but also shows users their performance compared to others over defined paths they call segments which could be anything longer than a few tens of metres. Each segment has a leaderboard with the leaders shown by name, age and sex. It is sometimes possible to click on the leaderboard to find out more about the leaders and their sporting activities.

How Did It Happen This Time?

The breach looks to be a combination of deliberately fake workouts and security settings that confused Israeli military personnel.

Firstly it seems that researcher Ez Shehl created some fake yet realistic workouts at various military bases without ever going there and then uploaded them to Strava. Reality Check: This IS plausible. I think if I had a couple of hours I could probably do that if I knew the location of the base. I would create a GPX route using one of many tools (eg Strava!) and then reverse-engineer real run data from another workout onto those GPS points.

Secondly, any Strava segment that was used in the ‘run’ will have a leaderboard. It seems that this is where Strava have a problem as some Strava users appear on those leaderboards even if their accounts are set to private.

Reality Check: I don’t think this part of the story is correct. It’s more likely that security personnel did not properly secure their accounts…admittedly Strava could have made it more obvious how to do this. There appears to be no single ‘kill switch’ that fully privatises the account.

Then again Strava claims to have already fixed whatever issue there was.

What Information Was Compromised

The researchers responsibly went through the proper channels and none of the details that were discovered about military personnel have been made public. It seems that it was possible to ascertain the name, user photos and locations of some of the run locations of military personnel.

When asked for comment, Strava said “We take matters of privacy very seriously and have addressed the reported issues.” (via the Haaretz newspaper)

Take Out

The heatmap breach from 5 years ago always seemed like a bit of a storm in a teacup to me. Nothing too personal was really revealed other than the location of large military bases that could be seen on Google Maps in any case plus sections in the bases where soldiers frequently ran.

This time it’s more important as individual names and photos were obtained.

← Back to the Strava Hub

Last Updated on 28 May 2026 by the5krunner

the5krunner

tfk is the founder and author of the5krunner, an independent endurance sports technology publication. With 20 years of hands-on testing of GPS watches and wearables, and competing in triathlons at an international age-group level, tfk provides in-depth expert analysis of fitness technology for serious athletes and endurance sport competitors. ID