Peloton exercise bikes found exposing user data – company dawdles in its response

Fit for purpose?

Peloton exercise bikes found exposing user data

Back in January I wrote a piece explaining why I didn’t think we should worry too much about media reports theorising on the potential of Joe Biden’s Peloton being a security risk.

My view was that the fears of spying on the newly-inaugurated US President via the exercise bike’s microphone and webcam might be overhyped. In short – don’t sweat.

On the same day as I published that article, a little birdie in the infosecurity community privately reached out to me saying that there might be another concern – that Peloton might be leaking personal information about its many customers.

Sign up to our free newsletter.
Security news, advice, and tips.

The news didn’t land well with me as I had just had my own Peloton delivered, at the recommendation of my equally fat brother who had been exercising on one for some months.

Gulp!

Now, finally, the news is public.

As researchers at Pen Test Partners explains in a blog, Peloton’s API was leaking information about users (their user IDs, location, statistics about workouts, their gender and age, avatar, and so on…)

Furthermore, setting your Peloton account to “private” may have restricted your profile from being viewed within the app or from the bike by anyone other than fellow cyclists you had previously authorised, but didn’t actually prevent anyone from accessing the details via the API.

But why did the news of Peloton’s data goof take so long to become public? It appears that the process of getting Peloton to understand the nature of the problem and them properly fixing it was unnecessarily protracted.

Furthermore, Peloton initially tried to apply silent fixes for the problem – without informing the researchers. Unfortunately those fixes were at first only partially successfully at preventing data from being accessed – still making it available to other Peloton users, rather than the entire world.

Ultimately, the problem was only properly brough to a satisfactory conclusion after a journalist contacted the fitness firm’s PR department.

Don’t ignore reports from vulnerability researchers. Don’t try to silently fix problems without working with them to ensure that you have understood the problem properly. Don’t wait until a journalist is called in to make you take the problem a little more seriously.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.