Peloton members who kept their accounts private may have been at risk of data exposure, a new report suggests.
Sensitive information, such as a user’s location, gender, age, workout statistics and user IDs, was vulnerable from Peloton’s servers, even if members were set to private, allowing an unauthenticated user to snoop on personal data, Tech Crunch first reported.
The security glitch has since been fixed.
The at-home spin bike and treadmill company with more than 3 million members, reportedly including President Biden, was letting anyone access its user’s data due to a faulty Application Programming Interface (API), a software that lets two applications communicate with each other over the internet, according to the Tech Crunch report.
A security researcher at Pen Test Partners, Jan Masters, discovered on Jan. 20 that anyone online could make unauthenticated requests to Peloton’s API for user account data without it verifying to make sure they were allowed to do so.
Peloton did not immediately return a FOX Business request for comment.
Masters reported the faulty API to Peloton on Jan. 20 and the company reportedly had 90 days to fix it before security researchers make the breach public. Peloton told TechCrunch on Tuesday the API had been fixed and the publication held its story until the security issue was resolved to prevent further risk of potential data exposure. It's unclear if any cyberattackers obtained sensitive user data.
PELOTON LAUNCHES USER REQUESTED FEATURES AMID TREAD+ CONTROVERSY
"It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts," Peloton spokesperson Amelise Lane said in a statement to TechCrunch.
"Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported."
The connected fitness company has been under fire over the safety of its Tread+, a $4,295 machine, after 39 reports of injuries and one child's death.
Consumer Reports last month pulled its recommendation for the Tread+ after the U.S. Consumer Product Safety Commission urged consumers to stop using it. The company has maintained the Tread+ is "safe when our warnings and safety instructions are followed," noting it is not for children under 16 nor pets.