Peloton API Exposed User Data, Even for Private Accounts

Peloton API Exposed User Data, Even for Private Accounts
Photo: Scott Heins/Stringer, Getty Images

Peloton’s had a rough go in the news cycle lately, and not helping matters is the fact that its leaky API allowed any hacker to obtain any user’s account data — even if that user had set their profile to private.

The vulnerability, which was discovered by security research firm Pen Test Partners, allowed requests go through for Peloton user account data without checking to make sure the request was authenticated. The API itself is the bit of software that allows the Peloton hardware to communicate with the company’s servers that store user data. As a result, the exposed API could let anyone with a bit of know-how access any Peloton user’s age, gender, city, weight, workout stats, and birthday. Yikes.

The freaky thing here is that this was true even if a user decided to make their account private. Peloton has two separate privacy settings: one for your profile, and one to hide your age and gender. The former prevents other Peloton users from viewing your profile, while the latter prevents your age and gender from appearing in classes. (For the uninitiated, one of Peloton’s draws is a competitive leaderboard.) However, enabling these privacy settings didn’t matter. The researchers were still able to access data from private accounts.

Pen Test Partners disclosed the issue to Peloton in January and gave them a 90-day window to fix the issue. That’s standard protocol for these sorts of things, and Peloton itself has its own responsible disclosure program. While Peloton initially acknowledged it had received the info, it then reportedly ghosted the researchers. In early February, the company appeared to have partially fixed the issue — except private data was still accessible to authenticated Peloton users. At this point, the researchers then enlisted TechCrunch — which broke this story — to get involved.

In an update, Pen Test Partners said Peloton reached out and the aforementioned vulnerabilities were fixed within seven days. In a statement to TechCrunch, a Peloton spokesperson said: “We took action and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.”

Cool, but also not-so-cool given how the company has handled some of the issues it’s been facing recently. Specifically, today it agreed to recall both the Tread+ and Tread after a tense back-and-forth with the U.S. Consumer Product Safety Commission. The CPSC issued a warning in April saying households with small pets and children should stop using the pricier treadmill after a series of incidents and that the company should recall the Tread+. For its part, Peloton pushed back, blaming improper use as the root cause for the tragedies. According to an Insider report, several Peloton users had reported issues with the Tread+ as early as 2019, and many experienced slow or unresponsive customer service.

While many businesses have floundered due to the pandemic, Peloton’s not one of them. Its business has skyrocketed as people search for gym alternatives during lockdowns. However, its customer service has received a lot of flack for months-long shipping delays, with many owners venting their frustration on social media. There’s a pattern developing here, and Peloton’s sluggish response to customers, security researchers, and consumer safety agencies is clearly something the company needs to reevaluate.


Editor’s Note: Peloton products are not yet available in Australia but are coming soon.