Popular beer rating app Untappd has some eight million users worldwide, providing a platform for beer lovers to share pictures and tasting notes of their favorite brews. But in a barely-believable twist — one that sounds like it was devised for a Hollywood blockbuster — it turns out that the app has also been quietly spilling clandestine government information.

According to researchers from Bellingcat, an “independent international collective of researchers, investigators and citizen journalists,” military personnel using Untappd have been inadvertently sharing sensitive and confidential information alongside their favorite IPAs.

Like regular users of the app, members of the military have been using Untappd to discover and share beer with others. But by uploading pictures and “checking-in” at locations, military personnel have also exposed confidential info, including military locations. In some cases, classified documentation and even debit card info were revealed.

By scouring Untappd data, researchers from Bellingcat pinpointed users at locations such as the Pentagon, and secretive training spaces like Camp Peary — a facility used by the CIA and DIA (Defence Intelligence Agency).

While that information is sensitive enough on its own, data from the app could also be used to provide further security breaches, as defense and security writer Kyle Mizokami points out in a recently published Popular Mechanics article.

“An intelligence agency could, for example, locate bars frequented by service members near military bases, discover the most popular beer there, and then send spies to ingratiate themselves with those personnel, ordering their favorite beer—and hopefully getting someone to spill secrets,” Mizokami writes.

For intelligence supervisors perturbed by the tracking exposure, there’s an easy fix to protect this data: Users can simply set their account settings to “private” to better-conceal personal locations.

Removing military documents from beer pic uploads would probably help, too.