Peloton has suffered a data breach. The good news? The information about your exercise habits that subsequently became freely accessible by outsiders isn’t all that damning. Peloton’s delayed response, however, is far more concerning.
As Pen Test Partners described in a recent blog post, a handful of APIs the company uses previously could have been queried by anyone—authenticated and unauthenticated users alike. That was later changed by the company to only permit the former, but that wasn’t much of a protection given that anyone interested in the data could have simply registered for a free Peloton account.
As for what an attacker could scoop up, the available data included:
- User IDs
- Instructor IDs
- Group Membership
- Workout stats
- Gender and age
- If a person was in the studio or not
That’s annoying, but not horrible. There’s not much an attacker can do if they know how much you work out. But it is possible that they could use this information (standalone or in combination with other information provided by other data breaches) to send you a clever phishing attempt.
What is doubly troubling is just how long it took Peloton to respond to reports about these (generally open) APIs. As Pen Test Partners notes:
- 20th January 2021: disclosed privately to Peloton, as per their [Vulnerability Disclosure Program].
- 20th January 2021: receipt acknowledged. This is the last we heard from Peloton.
- 22nd January 2021: we requested an update and offered assistance replicating the vulnerability. No response.
- 2nd February 2021: unauthenticated API endpoint issue was silently and partly resolved – user data was now only available to all authenticated Peloton users. Er…?
- 2nd February 2021: we asked for an update, given the silent fix. No response.
- After 90 days we asked a trusted journalist to speak to Peloton on our behalf.
Said journalist was TechCrunch’s own Zack Whittaker, who ended up publishing a piece on Peloton that finally seemed to get the company’s attention and, more importantly, effect change.
As a security/privacy enthusiast, I find it frustrating to watch things get to that point. While Peloton claims that it was taking action ever since the initial vulnerability submission, it’s just oddly coincidental that the vulnerabilities remained exploitable—scrapeable, really—until one of the biggest publications in tech exposed the problem. Peloton has yet to confirm or deny that the data wasn’t scraped en masse by an outside party, which is ever-more annoying.
Should this entire episode make you throw your Peloton bike in the trash? No. That’s an expensive piece of equipment. However, I’d keep my ear out for news of any future Peloton data breaches; you might have to act on them yourself, rather than wait for Peloton to take the appropriate disclosure steps (and remediation). You might also want to consider obfuscating your data, wherever possible. If it isn’t necessary for your bike ride (or jog), then there’s no reason Peloton needs it—give them a fake birthday, address, name, et cetera. Your competing exercise pals won’t mind.