Strava app leak compromises security at French nuclear submarine base

In a significant security breach, crew members of French nuclear submarines inadvertently revealed classified details, including their locations and patrol schedules, through the fitness tracking app Strava. The breach occurred at the highly secure Ile Longue submarine base in Brest Harbour, which serves as the operational hub for France’s fleet of nuclear-armed submarines.

Strava, a popular fitness app that maps users’ exercise routes globally, became an unintentional security loophole. Despite strict protocols at the base—such as bans on mobile phones and rigorous surveillance—smartwatches equipped with third-party apps like Strava went undetected. This allowed personnel to disclose critical information unwittingly through their exercise data.

Investigations have revealed that over 450 Strava accounts linked to French military personnel have been active around the base over the past decade. Startlingly, many users operated public profiles, often using their real names. For example, one officer recorded multiple runs along the submarine docks in early 2023, complete with precise timestamps. His account activity ceased during an active patrol, resuming only after March 25, 2023—an inadvertent confirmation of submarine deployment schedules.

In one particularly alarming instance, an officer returned from patrol and posted a comment on the app joking about the challenges of resuming fitness after spending “two-and-a-half months in a poo box,” accompanied by scuba mask emojis. Such posts, while seemingly harmless, provided additional confirmation of classified movements.

Further investigations by Le Monde revealed that the risks extend beyond the French military. Bodyguards for the French, American, and Russian Presidents were also found to have used Strava, potentially exposing sensitive details of their movements and operations.