The timings and personal details - including photos, home addresses and the identities of family members - of other users who ran the same segments were subsequently revealed on the Strava scoreboard, even if they had their accounts set to "private".
A senior defence official identified as "N" was one of at least 100 Israeli individuals affected by the vulnerability, according to FakeReporter. It posted screenshots showing runs from their home and inside various air force bases in Israel, as well as runs in Ukraine.
FakeReporter said it had told Israeli authorities about the security breach as soon as it became aware and that it had contacted Strava after receiving their approval.
"Despite past revelations, it does not appear that Israeli security agencies have caught up," Achiya Schatz, the watchdog's director, said in a statement. "Although Strava made significant updates to its privacy settings, confused users might still be exposed publicly, even if their profiles were set to 'private'."
"By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike."
Strava told Israel's Haaretz newspaper, external: "We take matters of privacy very seriously and have addressed the reported issues."