Peloton is having a rough day. First, the company recalled two treadmill models following the death of a 6-year-old child who was pulled under one of the devices. Now comes word Peloton exposed sensitive user data, even after the company knew about the leak. No wonder the company’s stock price closed down 15 percent on Wednesday.
Peloton provides a line of network-connected stationary bikes and treadmills. The company also offers an online service that allows users to join classes, work with trainers, or do workouts with other users. In October, Peloton told investors it had a community of 3 million members. Members can set accounts to be public so friends can view details such as classes attended and workout stats, or users can choose for profiles to be private.
I know where you worked out last summer
Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.