Most of us don’t give much thought to exactly where we are while we’re tapping out a text message or posting an Instagram. But wherever you go online, and whatever you do, you’re actually leaking little rivulets of data — digital breadcrumbs that could be used to track you.

In fact, a Harvard student named Aran Khanna has developed a new, publicly available browser extension that does just that. Using data from Facebook Messenger — the stand-alone mobile messaging app that 600 million people currently use — his tool can pinpoint, down to the address and without them knowing, where your Facebook friends are at. He’s calling it, appropriately, the Marauder’s Map.

“Creepily track your friends from FB messages!” He promises  in his description of the app.

Here’s how Khanna’s app works, in a nutshell. By default, Facebook attaches your phone’s location to every message you send in Messenger, both to friends and to strangers in message groups. It’s not just a vague location, either: Facebook’s tracking your longitude and latitude with five decimal places of precision, which means you could theoretically not only know someone’s address, but which exact room they were in.

Khanna scrapes that data and plots it on a map. For people who use Messenger frequently, that results in a startlingly accurate picture of their daily schedule and their most-visited addresses. One or two people working together, Khanna concludes, could “track me very accurately without me ever knowing.”

Facebook has, not surprisingly, promised to address the issue; it’s certainly become less urgent in the past 36 hours, when so many people began using Marauder’s Map that the app basically stopped working.

But in either case, this issue goes deeper than one gimmicky app. It’s about a principle of privacy and data-sharing — and the fact that, thanks to our networks’ default settings, we’re rarely conscious of them.

“I didn’t realize how much data about me Messenger was revealing to the people I chatted with,” wrote Khanna, who — notably!! — is both a soon-to-be Facebook intern and a computer science student at an Ivy League University. In other words, he of all people understands data privacy. He continues:

“The main problem is that every time you open your phone and send a single message it’s so easy to forget about your location data being attached to it … It seems so harmless to attach a location with a single message, but the problem is over time the information from these messages adds up.” (Emphasis mine.)

And we knew that already, right? As early as 2011, developers like Khanna were hacking together maps to show how much location data is embedded in our social networks and programs. Just last February, many were startled to learn that Instagram automatically plots your photos on a map — which means that, if you take pictures at your house, and unless you explicitly turn the feature off, your home address is public on the Internet.

But as Khanna himself notes, it’s not unusual to let these things fall through our mental cracks, simply because they’re the default, opt-out settings. That’s intentional on the part of app-makers, and worth considering: They’re framing a privacy choice in such a way that it seems you don’t have any.

In a statement, a Facebook spokesperson said that “we’ve been listening to people’s feedback and for the last few months have been working hard to improve this experience. We will be rolling out improvements very soon.”

The best fix, in the meantime? Schedule a privacy check-up for yourself. On iPhone, jet over to your privacy tab (that’s under settings) and check out which apps have access to your contacts, calendars, health data and location settings. On Android, you can check the permissions you’ve granted each app by clicking over to “applications” from the settings tab. Whatever phone you’re using, it’s worth reviewing your settings for Facebook location tracking, too.

Read; weep; adjust accordingly. Mischief managed, as they say.

Updated at 1:30 p.m. to add a statement from a Facebook spokesperson.