A French Sailor Tracked His Morning Run on Strava and Accidentally Revealed the Exact Location of a Nuclear Aircraft Carrier — Seven Steps to Lock Down Your Fitness App Right Now

A French Sailor Just Tracked His Morning Run — And Accidentally Gave the Entire Internet the Exact Location of a Nuclear Aircraft Carrier

I stared at my phone for a solid thirty seconds on Thursday morning when I saw the Le Monde headline. A Strava activity. A public profile. And boom — the precise coordinates of the Charles de Gaulle, France's only nuclear-powered aircraft carrier, sailing northwest of Cyprus with its entire strike group.

My first thought was: this cannot still be happening. My second thought was: of course it is.

Look, I've been writing about operational security for years, and every time I think we've learned the fitness tracker lesson, someone goes and logs a 7-kilometer deck run on a warship carrying nuclear-capable aircraft. In the Mediterranean. While tensions with Iran are escalating. Arthur — that's the pseudonym Le Monde gave the sailor — had his Strava profile set to "public." That's the default, by the way. And that's the entire problem.

This Is Not the First Time Strava Nearly Caused a Geopolitical Incident

Back in 2018, Strava's Global Heatmap lit up like a Christmas tree, accidentally revealing the outlines of secret U.S. military bases in Syria, Afghanistan, and Somalia. Soldiers running laps around classified facilities created glowing patterns visible to anyone with a browser. The Pentagon issued a memo. There was outrage. People said "never again."

Eight years later, a French officer just did the equivalent of dropping a GPS pin on his aircraft carrier and sharing it with 100 million Strava users.

My buddy Marcus, who spent twelve years in naval intelligence before moving to the private sector, texted me about it Friday afternoon. "The embarrassing part isn't that it happened," he said. "The embarrassing part is that we briefed the French Navy about this exact scenario in 2019. I was literally in the room."

How the Tracking Actually Works (It's Simpler Than You Think)

Here's what most people don't understand about fitness app location leaks: you don't need to be a hacker. You don't need any special tools. You need a web browser and about four minutes.

Strava, Garmin Connect, Nike Run Club, Apple Fitness — they all record GPS coordinates at one-second intervals during activities. When you finish a workout, that data syncs to the cloud. If your profile is public (or even if specific activities aren't marked private), anyone can see:

• Your exact route — every turn, every stop, plotted on a map
• Timestamps — when you started and finished, down to the second
• Your location — which means your home address, your workplace, your gym, your patterns
• Your routine — because most people run the same routes at the same times

In Arthur's case, there was nowhere to hide. When you run laps on a 261-meter flight deck in the middle of the Mediterranean Sea, the GPS coordinates don't exactly look like a morning jog through the park.

Why Your Fitness Data Is More Dangerous Than You Realize

I talked to my neighbor Lisa about this — she's a real estate agent who runs half-marathons and posts every single one on Strava. "But I'm not military," she said. "Who cares where I run?"

Here's who cares:

• Stalkers — A 2023 study by the Cybersecurity and Infrastructure Security Agency (CISA) found that fitness app data was used in 14% of technology-facilitated stalking cases
• Burglars — Your running routine tells them exactly when you're not home, and your GPS start point usually is your home
• Employers and insurers — Some are quietly purchasing aggregated fitness data to assess risk profiles
• Data brokers — Companies like Gravy Analytics (which was hit by the FTC in January 2025) have been caught buying and reselling fitness location data

And here's the thing Lisa didn't expect: when I pulled up her Strava profile, I could see her home address (start of every run), her office (where she drives to at 8:47 AM on weekdays), the school she drops her kids at (she walks there Tuesdays and Thursdays), and her weekend pattern (long run Saturday morning, brunch spot on the route). In seven minutes. From a browser.

"Well, that's terrifying," she said. She changed her settings that night.

Seven Steps to Lock Down Your Fitness App Location Data Right Now

I'm going to walk through this for the major platforms, because every single one handles privacy differently, and most of them bury the critical settings three menus deep.

Step 1: Set Your Profile to Private (Not "Followers Only" — Private)

On Strava: Settings → Privacy Controls → Profile Page → set to "Only You." "Followers Only" still leaks data to anyone you've accepted. On Garmin Connect: Settings → Privacy Settings → toggle "Private Profile." On Apple Fitness: you're in slightly better shape here — Apple doesn't have a public social feed by default, but Shared Activity still broadcasts to your contacts.

Step 2: Enable Map Privacy Zones

This is the one most people skip, and it's arguably the most important. Strava lets you create a "privacy zone" — a radius around a specific address where the start and end of your activities get hidden. Set one for your home. Set one for your workplace. I'd argue set one for anywhere you go regularly.

Strava's default radius is 200 meters. Bump it to the maximum. Yes, it makes your maps look a little weird. I don't care. Neither will you when nobody can pinpoint your front door.

Step 3: Audit Your Connected Apps

I did this last month and found six apps I'd forgotten about still pulling my Garmin data — including one I hadn't opened since 2022. Go to your fitness platform's settings, find "Connected Apps" or "API Access," and revoke anything you don't actively use. Strava alone has a page showing every third-party app with access to your data.

Step 4: Turn Off Activity Sharing by Default

Most platforms default new activities to whatever your global privacy setting is. But some — looking at you, Garmin — will reset sharing preferences after app updates. Check this quarterly. I set a calendar reminder. It takes forty-five seconds.

Step 5: Disable Live Location and Beacon Features

Strava Beacon, Garmin LiveTrack, Apple's share-my-workout — they all broadcast your real-time location to selected contacts. That's fine if you trust everyone on your list. But these features create additional data trails on company servers, and they sometimes default back on after updates.

My friend Dave turned on LiveTrack for a mountain bike race in 2024 and forgot to turn it off. His wife could see him at a bar in Portland three weeks later when he told her he was working late. That's a different kind of security incident, but the lesson applies: if you don't need a feature, turn it off.

Step 6: Scrub Your Historical Data

This is the one nobody does. You locked down your settings today — great. But what about the 847 activities you logged over the past five years with a public profile? Those are still there. Strava lets you bulk-edit visibility on past activities. Garmin makes you do it one by one, which is maddening but worth it for the sensitive ones (think: activities near your home, workplace, or kids' school).

Step 7: Consider a Dedicated Fitness Watch Without Cellular

This is the nuclear option, and I'll be honest — I haven't done it myself yet. But the argument is solid: if your fitness device doesn't have its own cellular connection and only syncs via Bluetooth to your phone, you have a physical air gap. You can record your run, review the data locally, and choose what (if anything) to upload. Garmin Forerunner 165, Polar Vantage V3, and COROS PACE 3 all work this way.

The Bigger Picture: Your Data Leaks Whether You Want It to or Not

I want to be clear about something: even if you follow every step above, you're still generating location data that flows through company servers. Strava's privacy policy explicitly says they can use aggregated, de-identified data for their heatmap and Metro products. "De-identified" sounds reassuring until you read the academic research showing that location data can be re-identified with 95% accuracy using just four data points (MIT Human Dynamics Lab, 2013 — and the methods have only gotten better since).

The StravaLeaks story isn't just about one French sailor who forgot to toggle a setting. It's about the fundamental tension between fitness tracking and privacy. We carry devices that know exactly where we are, every second, and we voluntarily upload that information to companies whose business model depends on having it.

I'm not saying stop using fitness apps. I've been on Strava since 2016, and my competitive streak won't let me quit. But I am saying: treat your fitness data like you'd treat your banking credentials. Because to someone with bad intentions, your daily running route is worth just as much as your password.

Quick Reference: Privacy Settings by Platform

Platform	Private Profile	Map Privacy Zone	Bulk Edit History	Connected Apps Audit
Strava	Settings → Privacy	Settings → Privacy → Map Visibility	Yes (bulk select)	Settings → Apps
Garmin Connect	Settings → Privacy	Not available (use private activities)	No (one by one)	Settings → Connections
Apple Fitness	Sharing → toggle off	N/A (no public map sharing)	N/A	Settings → Privacy → Health
Nike Run Club	Profile → Privacy	Not available	No	N/A (limited integrations)

Go lock your stuff down. Right now. Before you forget. I'll wait.

Worried about your fitness app leaking sensitive location data? Wardigi provides cybersecurity consulting and digital privacy assessments for businesses and individuals.

Related: Location tracking is one piece of a bigger surveillance puzzle — see how Azure sign-in log bypasses let attackers operate invisibly. For supply chain trust exploitation, read about North Korea weaponizing KakaoTalk contacts, and learn how $30 KVM devices give hackers physical access to your network.

Featured image: Pexels / Ketut Subiyanto