The Explore component of Polar Flow was meant to show anonymous data on its users and their activities around the globe, displaying it in a similar fashion to the activity map that was responsible for Strava's woes earlier in the year.
An app from Finnish fitness monitoring company Polar can be used to determine where military personnel and embassy staffers live and work, as well as the location of defence bases.
In a similar incident, Strava found itself in hot water in January: it released a heat map showing the fitness activity of its users from around the world, which was an attempt to highlight its active user base - but it inadvertently made it possible to figure out how people move around sensitive locations like foreign military bases. The data collected includes heart rates, dates, times, exercise duration, and routes of runs taken.
In the meantime, it's probably best to go through Polar Flow (and pretty much any other fitness platform you use) and double check your settings, just in case.
However, the investigation claims that despite many users making their profiles private it was able to find user details due to "an oversight in the Polar app".
The investigation found the names and addresses of personnel from multiple intelligence agencies including the NSA, US Secret Services and MI6. On Friday, the company issued a statement in which it said that it did not leak users' private information and that there had been no data breach affecting private data. Even if all hoops had been jumped, data like names, locations and photos remain publicly available, and it is still possible to retrieve a user's ID and establish that different exercise sessions belonged to the same user.
Falling short of acknowledging its responsibility for the potentially disastrous data leak, Polar instead pinned the blame on the users themselves, noting that "the decision to opt-in and share training sessions and Global Positioning System location data is a choice and responsibility of the customer".
Open source and social investigative site Bellingcat and Dutch news publication De Correspondent were able to access exercise data shared by users of Polar's Flow social platform, and glean large amounts of location information from it. In a statement, the company said that it has "recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations".
We reached out to Polar for comment on the reports, who responded: "All your profile, training sessions and activity summaries are all set to private by default".