A data leak makes Peloton’s terrible, not good, really bad day worse



Peloton is having a tough day. First, the company recalled two models of treadmills after the death of a 6-year-old child who was pulled under one of the machines. The word now comes that Peloton has disclosed sensitive user data even after the company learned of the leak. No wonder the company’s share price closed 15 percent on Wednesday.

Peloton offers a range of networkable stationary bikes and treadmills. The company also offers an online service that allows users to take courses, work with trainers, or train with other users. In October, Peloton announced to investors that it had a community of 3 million members. Members can set accounts as public so friends can view details like classes attended and training stats, or users can choose whether profiles should be private.

I know where you trained last summer

Researchers at security consultancy Pen Test Partners reported Wednesday that a bug in Peloton’s online service was making data available to all users for anyone around the world, even if a profile was set to private. All that was required was a little knowledge of the flawed programming interfaces Peloton uses to transfer data between devices and the company’s servers.

The exposed data included:

  • User IDs
  • Instructor IDs
  • Group membership
  • Training statistics
  • Gender and age
  • Weight
  • Whether they’re in the studio or not

Ars agreed to withhold another disclosed piece of personal information as Peloton is still working to secure it.

A blog post published by Pen Test Partners on Wednesday indicated that the APIs did not require authentication before providing the information. Company researchers said they reported exposure to Peloton in January and received confirmation immediately. Then, said Wednesday’s post, Peloton fell silent.


Slow response, botched solution

Two weeks later, the researchers say, the company tacitly provided a partial solution. Instead of providing the user data with no authentication at all, the APIs only made the data available to those who had an account. The change was better than nothing, but anyone who subscribed to the online service could still get another subscriber’s private information.

When Pen Test Partners notified Peloton of the inadequate solution, they said they had received no response. Ken Munro, a researcher at Pen Test Partners, said he even went so far as to look up company executives on LinkedIn. The researchers said the solution didn’t come until after TechCrunch reporter Zack Whittaker, who first reported the leak, asked about it.

“I was pretty pissed off about this point, but I thought it was worth one last try before dropping a 0 tag on Peloton users,” said Munro. “I asked Zack W to contact her press office. It had a wonderful effect – within a few hours I had an email from her new CISO, who was new to the mail and had been investigating, found her rather weak response and had a plan to fix the bugs. “

A peloton representative declined to discuss the schedule on the record, but gave the following pre-made answer:

Keeping our platform secure is a priority for Peloton and we are always looking to improve our approach and process to working with the external security community. Through our coordinated vulnerability disclosure program, a security researcher informed us that he could access our API and view information available in a Peloton profile. We have taken action and addressed the issues based on his initial contributions, but we have been slow to keep the researcher informed of our remediation efforts. In the future, we’ll do better to work with the security research community and respond more quickly when vulnerabilities are reported. We would like to thank Ken Munro for submitting his reports on our CVD program and for being open to working with us to resolve these issues.

The incident is the latest reminder that data stored online can often be collected for free, even if companies fail to indicate it. This puts people in a trap. On the one hand, sharing weight, exercise statistics, and other data can often help users get the most out of workouts or group workouts. On the other hand … well, you know.


I generally try to forge a large part of the data I have provided or leave it incomplete. Most of the services I use that require a credit card will authorize purchases even if I have provided a wrong name, address, and phone number. Often times, if these details are not appended to usernames or other data, it can minimize the stab of a data leak like this one.

Update: I wasn’t clear in the last paragraph so I’ll try again. Websites generally have two places where they ask for your information. A record is saved with the user account details. The other is used by the accounting processor. For example, my name is listed as Dang in my Amazon account. But when I gave my credit card details, I obviously didn’t give a wrong name.

Same goes for HBO Max. There is a tab for account information and a tab for billing information. I don’t see any reason why I should enter my real or full name on the Account tab. For obvious reasons, I am not falsifying any information on the Billing tab. Even so, I can often get away with incomplete information when providing billing information. In the billing area of ​​many websites, for example, I can only enter my street name, not my house number and only the initials of my first and last name.

My rationale for all of this: Websites generally store account information and billing information in separate buckets, and the billing information bucket seems to be better secured. Internet companies have a terrible track record of securing user data. The less they have about me, the better. I hope these additional details better explain how and why I am doing this.


Steven Gregory