Skip to content

OPSEC Mistakes — Trivia & Interesting Facts

Surprising, historical, and little-known facts about operational security failures.

Strava's fitness heatmap revealed secret military base locations in 2018

In January 2018, Strava published a global heatmap of user activity. Security researchers quickly identified the outlines of secret military bases in Afghanistan, Syria, and Somalia, where soldiers' fitness trackers had traced jogging routes around classified installations. The Pentagon subsequently banned GPS-enabled fitness devices in operational zones.

The Silk Road founder was caught because of a Stack Overflow post

Ross Ulbricht, creator of the Silk Road darknet marketplace, was identified partly because he had posted a question on Stack Overflow using his real email address asking about connecting to a Tor hidden service in PHP. He later changed the username, but the original posting data had already been captured by investigators.

An NSA exploit toolkit was leaked because someone left it on a staging server

In 2016-2017, the Shadow Brokers group released NSA hacking tools including EternalBlue. One leading theory is that an NSA operator left the toolkit on a compromised third-party server after an operation and failed to clean up. EternalBlue went on to power the WannaCry ransomware attack that hit 200,000 computers across 150 countries.

A CEO's fingerprint was cloned from a press conference photo

In 2014, Jan Krissler (Starbug) of the Chaos Computer Club demonstrated that he could reproduce German Defense Minister Ursula von der Leyen's fingerprint using only high-resolution photos taken during a press conference from 3 meters away. This proved that biometric data could be compromised through simple OPSEC failures.

The Hacking Team breach started with a single reused password

In 2015, the Italian surveillance software company Hacking Team was itself hacked. The breach exposed 400GB of internal data, including evidence they sold spyware to repressive governments. The attacker, Phineas Fisher, later wrote that initial access came through a combination of a vulnerable embedded device and reused credentials found in the network.

An FBI informant was unmasked by timezone metadata in a chat log

Hector Monsegur (Sabu), a key member of LulzSec turned FBI informant, inadvertently revealed his timezone in IRC chat logs. Combined with other small OPSEC leaks — occasional use of his real IP when his VPN dropped, and a car registration lookup — this helped verify his identity before his arrest in 2011.

The Iranian nuclear program was betrayed by a USB drive in a parking lot

The Stuxnet worm, which destroyed roughly 1,000 Iranian uranium enrichment centrifuges in 2010, is believed to have initially entered the air-gapped Natanz facility via an infected USB drive. The exact delivery method remains classified, but subsequent investigations revealed that USB drives were routinely carried between connected and air-gapped networks by contractors.

A Russian spy ring was caught because of Wi-Fi proximity communication

In 2010, the FBI arrested 10 Russian "illegals" — deep-cover agents living as ordinary Americans. Part of the evidence came from FBI surveillance showing agents exchanging data by sitting near a Russian government building in New York and using ad-hoc Wi-Fi connections. The agents apparently thought short-range wireless was undetectable.

EXIF data in photos has led to dozens of criminal arrests

EXIF metadata embedded in digital photos includes GPS coordinates, device model, and timestamps. In 2012, John McAfee's location in Guatemala was revealed by a Vice magazine reporter who posted an iPhone photo with GPS coordinates intact. Law enforcement has used EXIF data to locate suspects in cases ranging from cybercrime to missing persons.

The RSA breach started with an Excel spreadsheet

In March 2011, RSA Security (maker of SecurID tokens used by millions) was breached through a phishing email with an Excel attachment titled "2011 Recruitment Plan." The spreadsheet contained a Flash zero-day exploit. The attackers eventually stole SecurID seed data, compromising the security of clients including Lockheed Martin.