Adversaries have used commercially-available location data to attack individual US service members in war zones, according to a report furnished by the Department of Defense to Oregon Sen. Ron Wyden, and first reported by Reuters. Wyden is a Democratic member of the Senate intelligence committee. 

Responding to four questions Wyden had posed about this potential avenue of vulnerability for service members deployed to the Middle East, the Pentagon said that US Central Command “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater. The Threat Fusion Cell identified, tracked, and disseminated these threats through the USCENTCOM Threat Working Group and to component force protection personnel.” 

A US Army soldier takes an iPhone selfie at a base in Qayyara, Iraq in 2016 (Reuters – Alaa Al-Marjani)

Elaborating on the nature of the threat, the Pentagon noted that: 

“Commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries ​to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes.” 

The Pentagon’s brief set of responses did not provide details on any specific incidents. Early in the US-Israeli war on Iran, two DOD officials were wounded in an Iranian drone strike on a Crowne Plaza hotel in Bahrain. After the strike, a senior Iranian official told Drop Site that Iran had built a “target bank” of both American and Israeli personnel.  “The fact that they’ve now pinpointed the residences/locations of some of these forces has really caught the Americans and Israelis off guard,” the official said, without detailing Iran’s methodology. He did say the building of the target bank began after the 2025 12-Day War.   

⭕️ NEW: Iranian Hotel Strike in Bahrain Injured U.S. Defense Personnel, Diplomatic Cable Comfirms

U.S. lawmakers and mainstream media have described Iranian strikes on Gulf hotels as indiscriminate attacks on civilian targets. But The Washington Post reports that two U.S.… https://t.co/ch17xmxHdb pic.twitter.com/A18A4jd7BK

— Drop Site (@DropSiteNews) March 2, 2026

The Pentagon response to Wyden was dated April 14. On Thursday, Wyden and a bipartisan group of 13 other senators sent a letter to the Defense department’s chief information officer, expressing “serious concern that the [DOD] has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers.”

This vulnerability was identified at least 10 years ago, when tech contractor Mike Yeagley briefed the Joint Special Operations Command on how enemies could exploit commercially available phone location data to create “pattern of life” profiles of individual service members. The contractor, who first publicized the nature of his 2016 briefing in a 2024 Wired article, showed JSOC’s senior officers how he’d tracked phones from US bases that house special ops soldiers to an abandoned cement factory in Syria, which they were using as a forward operating base near an ISIS stronghold in Kobane. The rattled JSOC officers immediately relocated the briefing to a better-secured room. 

For that same article, Wired journalists teamed up with German investigative reporters to acquire a free sample of 3.6 billion coordinates — some separated by mere milliseconds — on upwards of 11 million mobile advertising IDs in Germany, covering a two-month period. “Our analysis revealed granular location data from up to 12,313 devices that appeared to spend time at or near at least 11 military and intelligence sites, potentially exposing crucial details like entry points, security practices, and guard schedules,” the journalists reported.  

Journalists used commercial data to pinpoint location signals from 800 devices at the US Army’s European headquarters at Lucius D. Clay Kaserne (Wired)

In their letter sent Thursday, the Democratic and Republican senators scolded the Pentagon for leaving troops vulnerable:

“DoD officials have not treated this counterintelligence and force protection threat as a five-alarm fire… DoD has known about this threat for over a decade, yet have failed to take meaningful steps to protect our men and women in uniform. That is simply unacceptable.”

They urged the Defense Department to take several specific actions, including the disabling of advertising ID on all DOD-issued smartphones, and ordering service members to disable the advertising ID on personal phones taken onto military installations or on overseas deployments. They also called for the Pentagon to remove browsers  “designed to facilitate data collection by Google and other advertising companies, such as Google Chrome, from DOD unclassified computers and smartphones.” They concluded their letter by posing five follow-up questions, with a due date of June 26. 

At least 13 American service members have been killed in the undeclared war on Iran, and approximately 400 have been wounded in action. It will likely take further probing by Wyden and others to determine whether it’s likely that commercially-available data was used to pinpoint any of their locations.