Software bug exposed Peloton users private account data

Software bug exposed Peloton users private account data

A flaw in Peloton’s online service exposed sensitive users' data, making it available to anyone on the internet, even if a profile was set to private, Jan Masters, a security researcher at Pen Test Partners, has found.

Peloton makes network-connected stationary bikes and treadmills and also provides users access to live real-time classes and sessions with a coach, as well as classes for treadmill, yoga, and outdoor running.

Masters discovered that he could make unauthenticated requests to Peloton’s application programming interface (API), for user account data without it checking whether the person was allowed to request it.

The exposed information included user IDs, instructor IDs, group membership, workout stats, gender and age, weight, and if a user is in the studio or not.

The researcher said he contacted Peloton over the API bug in January and promptly received a response acknowledging the issue, however, after that the company went silent. At the beginning of February Peloton silently issued a partial fix, which addressed the issue by making user data available only to authenticated Peloton users. The researchers then informed the company of the inadequate fix but again received no response. The issue was fixed in May after Pen Test Partners directly contacted a new Peloton’s CISO.

Back to the list

Latest Posts

Researchers caught embedding hidden AI prompts to sway research reviewers

Researchers caught embedding hidden AI prompts to sway research reviewers

The investigation analyzed English-language preprints published on the research platform arXiv and found concealed AI instructions in 17 papers.
7 July 2025
Brazilian programmer arrested for role in $185 million bank hack

Brazilian programmer arrested for role in $185 million bank hack

João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo.
7 July 2025
APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

More recently, APT36 has shifted its focus to Linux-based environments.
7 July 2025