A major security breach unfolded when officers and crew aboard a French nuclear submarine inadvertently exposed critical information, including their location, patrol schedules, and movements, by using the popular fitness app, Strava, according to media reports.

The app’s mapping feature, which allows users to share fitness activities and achievements globally, displayed exercise routes, effectively revealing the presence of the submarine to anyone monitoring the app—including potentially hostile entities like Moscow.

The incident occurred at the highly secure Ile Longue submarine base, situated in Brest Harbour, France. This base houses four French nuclear submarines, each equipped with 16 nuclear missiles capable of destructive power 1,000 times that of the Hiroshima and Nagasaki bombs.

The base plays a crucial role in France’s nuclear deterrence strategy. It operates under the doctrine of “permanence at sea,” which ensures that at least one submarine is always on patrol. This readiness allows France to respond to threats with nuclear force at a moment’s notice.

Despite stringent security protocols prohibiting mobile phones and employing round-the-clock surveillance, third-party fitness apps on smartwatches managed to slip through the cracks, causing this significant breach.

Fitness tracking in a secure military zone

Strava, a popular app for monitoring fitness goals and sharing achievements, became the unlikely vector for this security lapse. Its mapping feature, which logs and displays user locations during workouts, proved to be a fatal flaw in maintaining operational secrecy. 

Journalists from the French newspaper Le Monde discovered that military personnel at the Ile Longue base frequently recorded their runs and exercises using the app without hiding their identities or switching their profiles to private mode.

The base, which is home to 2,000 military personnel and employs stringent security measures such as biometric scanners, signal-proof lockers for phones, and drone surveillance, failed to account for the threat posed by fitness-tracking devices.

According to a Daily Mail report, more than 450 Strava users from the French military were active in the area over the past decade, compromising the base’s clandestine operations.

In one alarming instance, a submarine officer recorded his runs along the docks where nuclear submarines were moored. Between January and February 2023, he logged 16 separate runs, complete with precise timing and location data, which were visible on Strava.

After February 3, his account went silent, only to resume activity on March 25, suggesting a patrol aboard a nuclear submarine during that period. Similar patterns were observed among two other officers, making it clear that their fitness routines inadvertently disclosed their mission schedules.

Embarrassing revelations spark concern

Further compounding the embarrassment, an officer openly joked on Strava about returning to fitness after months aboard a submarine, referring to the vessel as a “poo box.” His post included scuba masks and bubble emojis, adding a personal touch to the sensitive information being unintentionally shared with the world.

Le Monde’s investigation, dubbed “StravaLeaks,” revealed even more troubling insights. Bodyguards of French, American, and Russian Presidents were found to use Strava as well, leaving their fitness data—and potentially their high-profile leaders’ movements—exposed.

The app’s potential for tracking military personnel and political figures has raised alarms about its misuse as a surveillance tool. This incident highlights the urgent need for stricter digital security measures within military and government institutions, especially as fitness and health-tracking technologies continue to proliferate.

While the breach at the Ile Longue base underscores the risks of wearable technology, it also serves as a wake-up call for militaries worldwide to adapt their security protocols to the digital age.