Due to a flaw in Peloton’s API, the personal data of its riders was exposed. The API leakage allegedly occurred after the company ignored a vulnerability disclosure from a penetration testing company. Although Peloton partially fixed the hole, they failed to fully secure the database. The news comes amid other troubles for Peloton after their treadmills were linked to 70 injuries and the death of a child. The treadmills have since been recalled.
Peloton also admitted that they were wrong to refuse to pull the equipment originally despite warnings from the Consumer Product Safety Commission (CPSC). In April, the commission released a publication warning that the machine posed serious risks to children. The API leakage included personal information such as user IDs, instructor IDs, group membership, location, workout stats, gender, and age.