A fitness app, a vacation photo, a live location in WhatsApp: location data feels harmless because it has become so ordinary. That is exactly the risk. A few small clues can quickly turn into a movement profile, and a movement profile can reveal private habits, business appointments, or confidential company information.
That does not mean anyone has to throw away their phone or delete every app. But people who understand what location data can reveal make better decisions: when sharing a running route, posting from a hotel, using dating apps, or quickly sharing a live location in a group.
The May Cyber Snack makes exactly that tangible: it shows how apparently banal app data can become a security problem, privately, professionally, and sometimes even geopolitically.
What makes location data so revealing
Location data becomes truly revealing when it is shared repeatedly.
A single location point often says very little. A pattern says almost everything. Someone who regularly starts from the same address in the morning, eats lunch in the same canteen, and shares the same running route in the evening is not just revealing places. They are revealing routines.
Those routines are valuable: for stalkers, burglars, fraudsters, and in a corporate context for social engineers, competitors, or intelligence services. Location data answers questions nobody asked directly: Where does someone live? When are they away from home? Who is an executive meeting? Which company is being visited?
The Strava case: one run, one aircraft carrier
A public fitness profile can reveal more than athletic ambition.
In March 2026, Le Monde showed how quickly a private fitness activity can become a security flaw. On March 13 at 10:35, a French naval officer recorded a run of a little over seven kilometers. His Strava profile was public. The route was not in a park, but on a ship in the eastern Mediterranean.
Using the publicly visible data and satellite imagery, Le Monde was able to determine the position of the Charles de Gaulle and its escort group. The deployment of the aircraft carrier was not secret. Making the precise position visible almost in real time was still highly problematic. The French armed forces later said the usage did not comply with current guidelines.
The key question is not: 'Did I post something secret?' It is: 'What can be inferred from my public signals?'
Fitness apps are not the only apps that reveal locations
Strava is only the obvious example. Location data is created in many places: in fitness apps, map apps, live locations in messenger groups, Snapchat, dating apps, and sometimes indirectly through images on Instagram, LinkedIn, or Facebook.
In late 2024, Follow the Money showed how sensitive such signals can become. The investigative team created three fictional Tinder profiles, digitally moved their locations near military bases, and identified at least 400 soldiers in a short period of time. Using distance information, profile photos, and additional public sources, they were able to reconstruct movements, roles, and in some cases even home addresses, without a match.
Why this can become dangerous privately
Privately, the risk rarely comes from one single post. It comes from combining information. A public running profile shows where someone regularly starts. Vacation photos show that the apartment is currently empty. A live location in a large group shows strangers where someone is at that moment.
Fraud also becomes more convincing. A message like 'Hi Dad, how is Lyon by the Rhône? My phone is broken and I urgently need money for the repair' feels very different when the location actually matches a recent post. Location data makes social engineering more personal.
Why location data is sensitive at work too
Social media posts, reviews, and location signals can often be pieced together.
At work, this is not only about the safety of individual people. Location data can reveal where a company is active, which customers are being visited, when executives are travelling, or which partners are meeting in the same city.
That sounds abstract, but it is everyday OSINT practice. A LinkedIn post about 'exciting strategic changes', an Instagram photo from a restaurant, a hotel review, and a visible location on a map can tell a story that was never meant to be public yet: for example an acquisition, a restructuring, or a confidential customer meeting.
A typical OSINT pattern
A CEO posts about an upcoming strategic change. On the same day, a restaurant photo and a hotel review appear. Each signal says little on its own. Together, they can point to a confidential negotiation.
Five rules that really help
The most important protective measures are simple, but they must be applied deliberately.
1. Set location permissions deliberately
Allow location access only when an app really needs it for a specific function. If possible, allow it only while using the app, not permanently in the background.
2. Make profiles private
Fitness and social media profiles should not be public by default. Check followers, old activity visibility, and automatic sharing features.
3. Limit live locations
Share live locations only with people you truly trust, and only for the period in which sharing is necessary.
4. Post with a delay
Vacation photos, running routes, and business travel are safer to publish once you are no longer there. Real time is rarely necessary.
5. Check photos before posting
Restaurant names, hotel brands, conference badges, office signs, or maps in the background can reveal more than the post itself.
What about Find My and Find My Device?
Device location is not automatically bad. If you use Find My or Find My Device to locate your own devices, that is generally useful. It becomes sensitive when you permanently share your location with other people. The same basic rule applies: only with people you truly trust.
What awareness teams should take from this
For CISOs and awareness managers, the most important lesson is this: location data is not just a data protection topic. It is an everyday topic. Employees usually do not share their location out of recklessness, but because an app is useful, a post feels harmless, or a feature is convenient.
That is why bans fall short. Concrete scenarios work better: What does a running route reveal? What is visible in the background of a photo? Who is actually in a WhatsApp group? Which app really needs precise location, and which one does not? Questions like these build judgment.
This also connects to other mobile risks, such as the rules in our insight Safe on the go, and to the core question from Online services and AI tools: which data am I giving to external services, and why?
Conclusion
Location data looks unspectacular. But unspectacular data is risky precisely because it rarely triggers suspicion. A place, a time, a photo, a distance value: harmless on their own, revealing together.
Not everyone needs to know where you are. And not every app needs to know either.
Sources
Le Monde, March 20, 2026: "StravaLeaks: France's aircraft carrier located in real time by Le Monde through fitness app"; Associated Press, March 20, 2026.
Follow the Money, December 14, 2024: "Looking for love and sex on Tinder, soldiers endanger national security".
