Many users of the popular fitness app Strava, including myself, went to Twitter and Reddit to share strange emails they’ve received. The emails come from a suspiciously named Strava account that looks like a spamming scam.
What is Strava?
If you didn’t hear about Strava, it is a fitness app that keeps track of your cycling and running exercise data and it’s quite popular.
The app has millions of users around the world and the number is growing by 1 million every 45 days according to Strava founders.
Email from Strava "lonely girl". What?
The messages read “Hello! I am a lonely beautiful girl write to me here www.tinyurl/sendsms1112 wants you to check out December Gran Fondo.”
Yes, this looks pretty bizarre and at first it seems users who received the message got their emails phished, or maybe even Strava suffered a security breach allowing attackers to get the hold of user emails.
What was it?
But after a close inspection, things look much more innocent but still worrying to a degree.
The emails are in fact invitations to one of the many exercise challenges in December, a feature found on most fitness apps.
As with most other apps, Strava members can send invitations to the challenge to their friends and people who follow them.
Next, the lonely girl part of the email is in fact just a username of the spam account, which is noticeable since the email reads like any other challenge invitation.
This one only looks like it’s different but in fact, it’s just one extremely long username. Strava should definitely do something about the maximum number of characters a username can have because “Hello! I am a lonely beautiful girl write to me here www.tinyurl/sendsms1112” is definitely too long.
Why has the spam account managed to reach so many users?
The thing is, there’s still the question of why the spam account managed to reach so many users. After all, you can only send invitations to friends.
There are a few potential explanations.
- Firstly, since Strava allows users to change their name maybe the account in question first managed to befriend a large number of users and then simply changed the username to the abomination shown above and then spammed them all with the challenge invitation. This would also explain why both male and female users received the invitation.
- Next, the spam account could somehow circumvent the invitation requirements – the one that you can only send invitations to the people following you or your friends – and send a batch invitation to thousands of users.
- Another potential explanation is that a spam account who already has thousands of friends on Facebook (which is filled with similar spam accounts) simply imported all those Facebook friends (many of which have a Strava account) and then spammed them all.
- Finally, the least probable explanation is that someone bought a batch of emails tied to Strava accounts that somehow leaked and then spammed them with invitations. This doesn’t seem likely because emails with invitations were regular challenge invitations. The only thing different was that stupendously long and fishy username.
Truth be told, Strava did have security issues in the past. Last year lots of users received invitations to a Strava group called "SEX Club." It looks like the company deleted the group before anyone was harmed in any way.
The app, like many other fitness apps, has inherent privacy issues – known as Fit Leaking - since it’s based on GPS tracking data anyone can access.
These privacy issues led to app leaking locations of secret US military bases, which were shown as part of the app’s regular heat maps visualizing routes taken by Strava users.
Whatever the case might be this time, we recommend everyone who received the spam message to change both their Strava and email passwords as well as to check out Strava privacy options.
Better to be safe than sorry, especially when it comes to your privacy and security.