Peloton users' private account data was left exposed

The company says the issue has been resolved.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
2 min read

Peloton users' private data, including birthday, location, gender, weight and workout statistics, was exposed to the public due to a leaky application programming interface, TechCrunch reported Wednesday. The bug with the API, which is software that facilitates communication between applications, made Peloton users' info vulnerable to data-scraping attacks similar to those used against Facebook. Peloton said the bug has since been fixed. 

A security researcher originally discovered the API vulnerability, which allowed him to access the user data even among Peloton profiles that were set to private. TechCrunch reported that the researcher told Peloton of the flaw on Jan. 20 but that the vulnerability still wasn't fixed three months later, after the 90-day grace period that security testers typically give companies to fix a vulnerability. The publication said that after that deadline, it asked Peloton why the researcher's information had been ignored and was told the bug had been dealt with. 

Asked to comment on the TechCrunch report, a Peloton spokesperson said in a statement that the company's communication with the researcher was lacking.

"It's a priority for Peloton to keep our platform secure and we're always looking to improve our approach and process for working with the external security community," the spokesperson said. "Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that's available on a Peloton profile. We took action and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported."

It's unclear whether any malicious actors accessed the personal info while it was exposed.