U.S. soldiers stationed at various bases in Europe accidentally exposed sensitive data related to America’s nuclear weapons stockpile via poorly secured flashcard apps they were using to memorize said secrets, according to a stunning new report.
In what seems like a mind-boggling mishandling of America’s most sensitive national security information, the soldiers accidentally revealed “not just the bases” where the nukes were stored but, in two cases, also “the exact shelters with ‘hot’ vaults that likely contain nuclear weapons,” writes Foeke Postma, a researcher with the OSINT-focused investigative team Bellingcat. They also revealed a whole bunch of other data about the military bases, including secret codes, passwords, and local security layouts.
Amazingly, the troops used common study apps like Chegg, Cram, and Quizlet to store really sensitive data about European nuke bases and then seemingly forgot to change the apps’ settings from public to private, Postma’s research suggests. Some of the same soldiers also apparently left their usernames public-facing, which “included the full names of the individuals who created them,” while also using the same photos they had stored on their LinkedIn profiles—making them easy to track down.
It is unclear from the report why they did any of this.
Postma claims he was able to ascertain much of this information merely by Googling official terms and acronyms associated with the U.S. nuclear weapons program. When he did, he found a public-facing set of 70 flashcards entitled “Study!” that revealed information related to the apparent nuclear inventory at Volkel Air Base in the Netherlands (a long-rumored locale of a U.S. nuke stockpile). More horrifyingly, Postma claims that subsequent open-source searches discovered more flashcard caches, which collectively revealed “details of vaults at all the other bases in Europe that reportedly host nuclear weapons.”
Some flashcards detailed the number of security cameras and their positions at various bases, information on sensors and radar systems, the unique identifiers of restricted area badges (RAB) for Incirlik, Volkel, and Aviano as well as secret duress words and the type of equipment carried by response forces protecting bases.
“The scale to which soldiers have uploaded and inadvertently shared security details represents a massive operational security failure,” said Postma. “Due to the potential implications around public safety, Bellingcat contacted NATO, US European Command (EUCOM), the US Department of Defence (DoD) and the Dutch Ministry of Defence (MoD) four weeks in advance of this publication.” Since then, the flashcards associated with these leaks have been taken down, Postma writes, although Motherboard reports that some remain available on the Wayback Machine.
If accurate, this story is a way worse version of the Joe Biden Venmo incident—wherein the U.S. president left exposed all of his pay-app contacts, including family members and friends. Government officials need to learn that civilian apps just aren’t for them. Seriously, there wasn’t some sort of officially issued study app with military-grade encryption they could’ve used? At the very least, it would behoove them to discover the privacy settings—especially if they’re quizzing each other on America’s death bomb inventory.