Special Air Service soldiers have been identified on a fitness app used by 50 million people in a shocking security lapse.

The elite troops are entitled to lifelong anonymity due to the dangerous secret missions they undertake. But their names and personal details were revealed on popular sports app Strava and may have been harvested by Russian military intelligence agents.

At a time when the Kremlin's GRU branch – Russia's version of MI6 – is conducting a global hacking campaign, a researcher from investigative website Bellingcat hoodwinked Strava into providing personal information on troops who run inside the SAS's top-secret base in Hereford.

The elite troops are entitled to lifelong anonymity due to the dangerous secret missions they undertake

Nick Waters revealed the security failure to horrified senior officers at the Royal Military Academy Sandhurst, explaining how the app identified 14 SAS troops in just five minutes after he invented a fictitious run inside the camp.

He said: 'I made up my own training session and convinced Strava that I had run a certain distance in a certain time inside the base.

'The app then started giving me the names and Facebook profiles of people who had actually run the same route.

'I started freaking out a bit because I knew this was the kind of information I probably shouldn't have access to. So I turned it off. It shows how social media is an incredibly powerful monitoring tool and it can be used by anyone to access personal information.'

Strava is supposed to record only workouts. Members of the site, which is used in 195 countries, then share their results with other users

The Bellingcat website is best known for identifying the two key suspects in the Novichok poisoning of Sergei Skripal in Salisbury in 2018.

Mr Waters, a former Army infantry officer who served in Afghanistan, is the website's senior investigator. Using his basic knowledge of computer programming, he got around Strava's security settings and was shown the profiles of soldiers who had taken steps to ensure their run times on Strava remained anonymous.

Strava is supposed to record only workouts. Members of the site, which is used in 195 countries, then share their results with other users.

But after uploading three lines of code on to the app, Mr Waters could invent a run and make up a time. His laptop screen then filled with names and faces of people – thought to be SAS personnel – who run along the same route. Using the same trick, Mr Waters also identified the possible locations of Special Forces bases in Syria and Somalia.

Last night Strava said: 'The safety and privacy of our athletes is our highest priority. We've long had a suite of privacy tools that give members control over what they share.

'We've improved these self-service features to make them even simpler and more transparent and encourage members of the Armed Forces using Strava to follow the policies of their military branch.' The Ministry of Defence said it took individuals' online security 'very seriously'.