An app from Finnish fitness monitoring company Polar can be used to determine where military personnel and embassy staffers live and work, as well as the location of defence bases.
Open source and social investigative site Bellingcat and Dutch news publication De Correspondent were able to access exercise data shared by users of Polar's Flow social platform, and glean large amounts of location information from it.
"We were able to scrape Polar's site ... for individuals' exercise at 200-plus ... sensitive sites, and we gathered a list of nearly 6500 unique users," researcher Foeke Postma wrote.
While other fitness monitoring and exercise sharing apps such as Strava have also been found to leak data, Polar publishes more information per user in a more accessible way.
"With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning," Postma said.
It is possible to locate military bases in the United States, Afghanistan and elsewhere in the world by tracking individuals' shared exercise routines.
Finding Western military service personnel was easy by cross-referencing names found on the Polar website with social network profiles such as those found on LinkedIn.
Being able to identify service personnel who are often not in uniform so as not to attract terrorist attention and potential attacks through the Polar site poses grave risks, Postma warned.
Civilians using the feature could also be targeted by people wanting to locate them.
Postma noted that even when users tighten privacy controls for sharing their exercise routines with others, the Polar website still leaks a considerable amount of data.
Worse, individual data goes back to 2014, and is displayed by Polar on a single map of the world.
Polar has acknowledged that the Explore feature could be used to provide insight into potentially sensitive locations, but blamed users for sharing their data.
"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the company said in a statement.
Nevertheless, Polar said it has temporarily suspend the Explore API.