Polar Flow's Public API Exposed GPS Home Addresses of Soldiers, Spies, and 30 Million Users
What happened
In July 2018, Dutch journalists at De Correspondent and Bellingcat discovered that Polar Flow's public Explore API returned the full GPS activity history of any user — including those with private profiles — with no rate limiting and no authentication required. By cross-referencing workout routes logged near sensitive facilities with home-address routes, researchers identified 6,460 individuals working at NSA headquarters, the White House, MI6, Guantánamo Bay, and nuclear storage sites across 69 countries. The app had 30 million registered users at the time, all of whose historical routes were queryable.[1]
What went wrong
Polar's Explore feature was designed to surface public workout routes globally, but the underlying API endpoint imposed no per-IP request limits, no authentication, and no distinction between users with public versus private profile settings. Private-profile users' activity data was being served to the public endpoint. The API had been live and undocumented since 2014, accumulating four years of GPS tracks before a journalist queried it systematically. Polar's initial response was to state that no private data had been leaked — technically accurate only because the API treated all data as public by design.[1]
Lesson learned
APIs that aggregate location data must enforce rate limits, require authentication, and honour per-user privacy settings at the query level — not just the display level. Four years of GPS history is a surveillance dataset, not a fitness feature.
Sources
- [1]
External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.