Peloton Exercise App API Exposed User Data

Posted on by Dawna M. Roberts in News May 18, 2021

Threat researchers had discovered that Peloton exercise products and installed API might have leaked the credentials and private data for millions of users before it was recently patched. 

What Happened?

Peloton Data Leak On the heels of Peloton recalling two of its treadmills due to serious safety issues, last Wednesday Pen Test Partners, an independent security research firm, announced on its blog that they notified Peloton in January about a security flaw in its API. 

Data Breach Today said that “The flaws could allow unauthenticated individuals to view sensitive information for all Peloton users, including snooping on live class statistics, even when users chose private mode settings for their account profiles, Pen Test Partners says.”

The blog goes onto explain that “Peloton has two different privacy settings: ‘private profile’ and ‘hide my age and gender.’ ’Private profile’ restricts users from viewing your profile, and ‘hide my age and gender’ does that in online classes. Having a private profile does not protect all of your data when using Peloton’s classes.”

What is at Risk?

According to the threat researchers, Peloton customers’ user IDs, instructor IDs, locations, group membership details, workout stats, gender, and age is the information that may have been exposed. 

Threat researchers warn that “The mobile, web application and back-end APIs had several endpoints that revealed users’ information to both authenticated and unauthenticated users.”

Alarmingly, Pen Test Partners said that Peloton acknowledged the issue and ignored it but then quietly fixed one of the flaws in February. Even after the initial repair of the API, the data was still available “to all authenticated Peloton users.”

After this second round of fixes, Pen Test Partners assures the public that, for the most part, the issue has been resolved. They had to hire a journalist to start the dialog with Peloton to resolve the issue. Pen Test Partners commented that “It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to.”

Peloton has become very popular during the pandemic as a way for people to keep fit. They have over three million subscribers, including President Biden. 

How Did Peloton Respond?

Peloton reported to Information Security Media Group that “As of this week, we have implemented fixes to the rest, and we are still in discussions with the researcher to hear his feedback on the solutions we’ve implemented. Going forward, we will do better to respond more promptly to security researchers who report vulnerabilities under our coordinated vulnerability disclosure program.”

However, the company denied a public comment and would not speculate how many users’ data was affected.

A hacker and threat researcher at Sequence Security said this about the situation

“The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right. In needing to build an API that allows some users to share information and build community while respecting those who want privacy by ensuring the data is secure, they have risked all user data.”

How Peloton Users Can Stay Safe

Keep all your equipment, firmware, and apps updated to the latest security patches. Keep on top of emerging threats and look for updates to improve security measures. Try to share as little information as possible by limiting permissions and adjusting your privacy and security settings in all apps. 

Others way for users to stay safe are:

  • Always use strong passwords.

  • Turn on two-factor authentication whenever it is offered.

  • Keep antivirus/anti-malware software running on all your devices. 

  • Sign up for identity theft monitoring to protect your identity from thieves. 

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!