Peloton exercise bikes found exposing user data – company dawdles in its response

Peloton exercise bikes found exposing user data – company dawdles in its response




Back in January I wrote a piece explaining why I didn’t think we should worry too much about media reports theorising on the potential of Joe Biden’s Peloton being a security risk.


My view was that the fears of spying on the newly-inaugurated US President via the exercise bike’s microphone and webcam might be overhyped. In short – don’t sweat.


On the same day as I published that article, a little birdie in the infosecurity community privately reached out to me saying that there might be another concern – that Peloton might be leaking personal information about its many customers.




Sign up to our newsletterSecurity news, advice, and tips.

The news didn’t land well with me as I had just had my own Peloton delivered, at the recommendation of my equally fat brother who had been exercising on one for some months.


Gulp!


Now, finally, the news is public.


As researchers at Pen Test Partners explains in a blog, Peloton’s API was leaking information about users (their user IDs, location, statistics about workouts, their gender and age, avatar, and so on…)


Furthermore, setting your Peloton account to “private” may have restricted your profile from being viewed by anyone other than fellow cyclists you had authorised, but didn’t prevent anyone from accessing the details via the API.


But why did the news of Peloton’s data goof take so long to become public? It appears that the process of getting Peloton to understand the nature o ..