Worrying news for Strava users.

[Johnno260]

I caught this hacker out as they shared a picture I had only uploaded to Strava, his retort was this picture, now it’s not my house as I have the radius setting on max but it’s still a concern.

My response was to not engage on Twitter, I actually took screenshots of the exchange and deactivated my account and I have no plan to go back there, a friend is keeping me appraised if they add anything else but once they realised I had nuked my account they seem to have gloated and moved on, I don’t care about his perceived win, I have a family to consider and that takes precedence.

To be honest I hope it stays that way as I was up all night and my anxiety and depression has hit rock bottom.

As for Strava I have kicked all followers and followings, ditched my clubs and put everything on max privacy which removes you from all leaderboards and rankings, marked all historical activities as private (they have a neat tool for that)

I changed my passwords, changed my nick, and have explained the situation to customer support, I have asked if they can clone me a new account, using an alternative email and another new username.

Please all check your settings if you’re a Strava user, check pictures for anything that could be used against you, make sure usernames or pictures aren’t cross posted to other platforms.

I wanted to go out tomorrow for a nice 40 miles on Sunday morning but I have lost my will to go out currently, and that’s a double edged blade as my mental health issues take a nose dive if I’m off the bike.

Stay safe everyone.

 

[Deleted member 26715]

Sorry I'm lost, were you arguing with him/them on Twitter? What did he/they perceive they had won, forcing you off Twitter?

 

[Johnno260]

Sorry I'm lost, were you arguing with him/them on Twitter? What did he/they perceive they had won, forcing you off Twitter?

I was in a discussion with someone talking about some nice pictures on Stonehenge then this account tagged me.

Started off addressing me with my actual name used on Strava not on Twitter, some other details and it escalated quickly.

As for his win, calling my a leftie commie, the usual associated insults etc, them feeling like the big man when I stopped engaged and deactivated my account.

 

[Johnno260]

Sorry for the crappy grammar I’m tired and like I said my anxiety and depression took a knock.

Also I’m taking the screenshot down, as I’m now paranoid about things.

I must’ve made an error with my privacy details somehow, that’s on me, it’s why I took the decision to change passwords and max all my privacy settings.

 

[Johnno260]

Also wanted to advise people here incase it’s an issue with Strava have they had a password leak etc.

Again sorry for the ramble but yea tired etc.

 

[Deleted member 26715]

Also wanted to advise people here incase it’s an issue with Strava have they had a password leak etc.

Again sorry for the ramble but yea tired etc.

More likely to be a Twitter leak didn't they lose millions of email addresses with passwords, we had somebody hitting our servers with thousands & thousands of email/password attempts, they would do 100,000 hotmail.co.uk, then 100,000 icloud.com, 100.000 someuniversity.ac.uk

 

[Johnno260]

More likely to be a Twitter leak didn't they lose millions of email addresses with passwords, we had somebody hitting our servers with thousands & thousands of email/password attempts, they would do 100,000 hotmail.co.uk, then 100,000 icloud.com, 100.000 someuniversity.ac.uk

Quite possible that’s why I spent hrs changing passwords and usernames.

 

[Tom B]

Isn't the simple answer don't post stuff on social media that you wouldn't be happy leave on a train or be in the public domain?

Privacy zones.... Just start and stop your ride a random distance from home?

 

[Johnno260]

My question to Strava was my account was marked as private, so I wanted an explanation of how this person accessed my details if my password isn’t compromised.

 

[Dogtrousers]

I know of one local lad who's a keen MTB rider with various high value bikes in his photos. You can see on his Strava activities his home address, and then that he wheels his bike around the side of the house to the shed in the garden.

What an idiot.

Doesn't he realise that by leaving the GPS recording while wheeling his bike he'll reduce his average speed

 

[Ming the Merciless]

My question to Strava was my account was marked as private, so I wanted an explanation of how this person accessed my details if my password isn’t compromised.

What picture do you use on Twitter, anything that identifies you?

 

[Deleted member 26715]

Do you follow anybody or does anybody follow you, it might be it's not your account that is compromised

 

[Dogtrousers]

I think you're right on the mark with this remark. For me it's a particular concern in cycling groups or clubs and in mine we are very careful to do all we can to ensure online conversation about rides is kept as private as possible and only between members.

Fortunately, our CycleChat forum rides are very hush hush... Only people with internet connections and web browsers can read about them!

Years ago I was on a ride organised openly on CC. This included the nominated cafe stop. When we got to the cafe stop someone accosted one of the riders (not me!!!) and rather loudly and dramatically accused them of something (having an affair ... something like that). All very loud and unpleasant. The accuser knew where the accusee would be from CC. IIRC the two had not met before in real life, so there was some stalking going on.

All kinds of things can happen which is why I personally think it's best to organise such things on private chats and use the open forum to ask for interest. Then people can be added/removed from the chat and details are not out in the open, and people can say things like "You'll recognise me because I'm riding a Pinarello Dogma diamond-studded special edition with gold-plated DI2, that I never lock for fear of scratching it". I'm normally shy about letting people know that I have such a cool bike.

It's a minor hassle setting up the chat, but once you're on it's just as easy to reply to/monitor as a thread is.

Just my 5p.

 

[Dogtrousers]

If you have a ride that starts in one direction and comes back from the exact opposite then it is obvious that you must live in the middle bit
which in some cases narrows it down to one or two houses

This is effectively what they do, roughly.

Despite the usage of spatial cloaking, we show that these protected locations can still be discovered reliably. Our attack leverages the reported distances travelled within the EPZ [endpoint privacy zone], as well as the layout of the street grid to de-anonymize protected locations with a success rate of up to 85%.​

You can read the pdf here: A Run a Day Won’t Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks: https://dl.acm.org/doi/10.1145/3548606.3560616​

It works something like this, I think: They see that your ride disappears from view at point X where you cross the privacy zone boundary. Point X is, say 30 km into the ride, and the ride is 30.5 km long. So they know your house is 500m, routed along streets, from X. That gives them a relatively small number of possible locations. They then repeat this for another ride that crosses the privacy zone boundary at another point, Y, and cut down the number of possible locations, and so on.

Edit: Hang on "up to 85%" What does that mean? "Up to" 85% could be 0%.

 

[steverob]

Well it's good then that my privacy zone isn't centred on my house. Though that wasn't due to any sort of security concerns - I moved it to a different road nearby as otherwise the zone would have covered up the start point of a segment I normally do near the start of my rides (if I'm going in that direction). Any segments that start or finish in a privacy zone don't register and we can't have that now can we?!