Strava, the company behind the popular activity-tracking app, published a huge cache of aggregated user data last year—and it’s now been shown to reveal some fairly sensitive defense secrets.

The news: The Guardian reports that researchers have found locations of military bases in places like Afghanistan and Syria lurking in Strava’s public data dump. (Pictured above is data from an American base in Helmand province.) It suggests that soldiers—mainly from the US and allied Western countries—have been making their own workout data public.

Why it matters: In such locations, almost all Strava users will be military staff. That means the exercise activity can be assumed to be entirely a result of foreign forces, and the resulting data is reportedly detailed enough for enemies to map the bases.

What next: The US-led coalition against the Islamic State tells the Washington Post ($) that it is “in the process of implementing refined guidance on privacy settings for wireless technologies and applications.” Strava suggests that military personnel opt out of sharing data.