Among the data anyone on the internet could access: a Peloton user s age, birthdate, city, gender, weight and workout statistics, all of which can set to be private by a user but were still accessible.
Peloton’s leaky API let anyone grab riders’ private account data
But the company won t say if it has evidence of malicious exploitation.
Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.
My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.
Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.
The API that powers Peloton’s bikes and profiles may have exposed customer data to third parties, according to TechCrunch. The API bug has been resolved, but it’s not clear if anyone gained access.
Among the data anyone on the internet could access: a Peloton user s age, birthdate, city, gender, weight and workout statistics, all of which can set to be private by a user but were still accessible.
minute read
Share this article:
On top of the privacy spill, Peloton is also recalling all treadmills after the equipment was linked to 70 injuries and the death of one child.
Peloton has hit a pothole. Its API was leaking riders’ private data, it ignored a vulnerability disclosure from a penetration testing company, and it partially fixed the hole but didn’t get around to telling the researcher until he reached out to a cybersecurity journalist for some help.
This is bad news for Peloton, coming just before other, far more horrific news hit the headlines: Namely, on Wednesday, the company recalled all of its treadmills, which have been linked to 70 injuries and the death of one child. It also admitted that it had been wrong to refuse the Consumer Product Safety Commission’s request that it pull the equipment: In April, the CPSC warned consumers to stay off the Peloton Tread+, which “poses serious risks to children for abrasions, fractures, and death.”