Peloton data leak exposes users' personal data

(Image credit: Peloton)

Peloton is having a pretty bad week. Showtime it was forced to call up its range of treadmills over serious safety concerns, and result an amends for refusing to human action quicker. At present information technology has emerged that the company has besides failed to safeguard user data, some of which is highly personal.

The security failure was highlighted by TechCrunch, which received data regarding the journalist's own Peloton business relationship that was set to private. The security researcher was able to access Peloton's API, which is the system through which apps and devices can connect to Peloton's servers. The API was happy to present this information without authentication.

Cheque out our favorite treadmills for indoor running and walking workouts
Here are the best exercise bikes for habitation use
Plus: Peloton responds to 'urgent' CSPC warning over treadmill's risks to children

Once told by the security researcher that its API was spewing private information all over the net, the company restricted equipment to only connect with requests that provided valid Peloton accounts. This notwithstanding allowed anyone who was prepared to pay for an business relationship to access the data.

Peloton's systems hold information on a user's age, gender, weight and workout statistics. After basically ignoring the report from the security researcher, it was only when TechCrunch asked for comment that the loophole was closed. At that place was some additional concern over the leaky API, as Peloton counts President Joe Biden amid its customers.

Pen Test Partners, which discovered the API problem, has too published its findings, forth with screenshots of the API responses. It's notable that along with the personal information, an Amazon AWS instance holds profile pictures for members which have uploaded them. This appears to use the account's username for the photo too, which would make information technology very easy to access.

The problem has now been completely fixed and API admission is no longer available either without authentication, or with basic subscriber credentials.

Peloton told TechCrunch, "Going forward, nosotros volition do better to work collaboratively with the security inquiry community and respond more than promptly when vulnerabilities are reported."

More: Apple Fitness Plus but got 3 large upgrades to take on Peloton

Ian has been involved in technology journalism since 2007, originally writing virtually AV hardware back when LCDs and plasma TVs were just gaining popularity. Near 15 years on, he remains as excited as always about how tech can make your life amend. Ian is the editor of T3.com but has likewise regularly contributed to Tom's Guide.