Peloton data leak exposes users' personal data

(Image credit: Peloton)

Peloton is having a pretty bad calendar week. First information technology was forced to recall its range of treadmills over serious condom concerns, and issue an apology for refusing to act quicker. At present it has emerged that the company has also failed to safeguard user data, some of which is highly personal.

The security failure was highlighted past TechCrunch, which received information regarding the journalist's own Peloton business relationship that was set up to private. The security researcher was able to access Peloton'southward API, which is the system through which apps and devices can connect to Peloton's servers. The API was happy to present this information without authentication.

Check out our favorite treadmills for indoor running and walking workouts
Hither are the best do bikes for abode use
Plus: Peloton responds to 'urgent' CSPC warning over treadmill'due south risks to children

Once told past the security researcher that its API was spewing individual information all over the internet, the company restricted equipment to just connect with requests that provided valid Peloton accounts. This even so allowed anyone who was prepared to pay for an business relationship to access the data.

Peloton's systems hold information on a user'south age, gender, weight and workout statistics. After basically ignoring the report from the security researcher, it was only when TechCrunch asked for comment that the loophole was closed. At that place was some additional business over the leaky API, as Peloton counts President Joe Biden among its customers.

Pen Test Partners, which discovered the API trouble, has too published its findings, along with screenshots of the API responses. It's notable that along with the personal information, an Amazon AWS instance holds profile pictures for members which have uploaded them. This appears to use the account's username for the photo too, which would make information technology very easy to access.

The problem has now been completely stock-still and API admission is no longer available either without authentication, or with bones subscriber credentials.

Peloton told TechCrunch, "Going forrard, we will do ameliorate to work collaboratively with the security research community and answer more promptly when vulnerabilities are reported."

More: Apple Fitness Plus just got three large upgrades to take on Peloton

Ian has been involved in engineering journalism since 2007, originally writing about AV hardware dorsum when LCDs and plasma TVs were just gaining popularity. Nearly 15 years on, he remains every bit excited equally ever nigh how tech tin make your life better. Ian is the editor of T3.com but has also regularly contributed to Tom's Guide.