Peloton users’ private data, including birthday, location, gender, weight and workout statistics, was exposed to the public due to a leaky application programming interface, TechCrunch reported Wednesday. The bug with the API, which is software that facilitates communication between applications, made Peloton users’ info vulnerable to data-scraping attacks similar to those . Peloton said the bug has since been fixed.
A security researcher originally discovered the API vulnerability, which allowed him to access the user data even among Peloton profiles that were set to private. TechCrunch reported that the researcher told Peloton of the flaw on Jan. 20 but that the vulnerability still wasn’t fixed three months later, after the 90-day grace period that security testers typically give companies to fix a vulnerability. The publication said that after that deadline, it asked Peloton why the researcher’s information had been ignored and was told the bug had been dealt with.
Asked to comment on the TechCrunch report, a Peloton spokesperson said in a statement that the company’s communication with the researcher was lacking.
“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community,” the spokesperson said. “Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.”
It’s unclear whether any malicious actors accessed the personal info while it was exposed.