A security researcher has revealed that a Peloton API failure allowed anyone to access the data of any Peloton user from across the world, even if the profile was set to private.
Users who could navigate the API weakness could see an account’s age, gender, location, weight, birthday, and workout insights. Fortunately, more sensitive data like billing information was not at risk, and no major breaches took place.
“An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data,” TechCrunch explains. “[Security Researcher Jan] Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.”
Peloton didn’t fix the leak in that deadline, and as the details weren’t made public, the threat flew under the radar. Peloton had made changes that limited API access to members, but bad actors could sign up for a Peloton membership and still access the private information. TechCruch reached out to Peloton after the deadline, forcing the company to correct the issue to avoid a PR nightmare.
The risk also had more far-reaching consequences. President Joe Biden is a Peloton rider, potentially putting national security at risk if his health data had been leaked. For security reasons, it’s unknown if the president is still using the bike, and it’s not likely that information on how fast Biden can bike a mile would have brought any serious repercussions.
SH Data Tech doesn’t offer a spin class (yet), but we can help you improve your company’s digital security. Learn more by contacting us today!