Peloton Is Having A Rough Week: Product Safety Recalls And News Of Customer Data Exposure

from the spinning-in-circles dept

Peloton is, as they say, having a rough week. While the company has been something of a pop culture darling for several years, it also got a nice boost from this lovely COVID-19 pandemic we've all been suffering through for more than a year now. Still, no company gets through its full lifecycle unscathed and this week has been a week I'm certain the Peloton folks would love to forget. We'll get started with the less-Techdirt centric part of this, which is that Peloton recently had to recall two of its treadmills after it turns out those treadmills occasionally enjoy eating people, especially very young children.

Peloton has received at least 72 reports of adults, children, pets and/or objects getting dragged under their Tread+ treadmill. In those incidents, 29 children suffered injuries, which included second- and third-degree abrasions, broken bones, and lacerations, the US Consumer Product Safety Commission noted.

In February, a father reported to the CPSC that his 3-year-old son was pulled under a Tread+ and trapped. When the father discovered his son and was able to free him, the toddler was pulseless and not breathing, according to the report. Fortunately, the boy was resuscitated, but he “now has significant brain injury.” The boy had tread marks on his back matching the slats of the Tread+, as well as a neck injury, and petechiae (small blood spots) on his face, presumably from blood flow being cut off.

When Peloton learned of the “unthinkable” death of the 6-year-old in March, Peloton CEO John Foley sent a note to customers noting the “tragic accident” and highlighting safety warnings for its treadmills. The March 18 note cautioned customers to “keep children and pets away from Peloton exercise equipment at all times.”

Those warnings were glaringly insufficient and the CPSC basically told people to stop using the product. In mid-April, Peloton's CEO informed customers that the company was aware of the CPSC advice, but that the company was not planning to stop selling the treadmills at all. Instead, the company essentially said that if the product warnings were adhered to, there was no problem. It was only this week when the company admitted that this was a mistake in approach and issued a recall for the two treadmills in question. That it should have done so, and subsequently added physical protection to its products to avoid all of this, really should have been painfully obvious once we got to the part where a 3 year old suffered lifelong injuries and treadmarks across his back and another child... you know... died.

But the troubles for the company keep on coming. The most recent news is that security researchers found that Peloton had exposed customer data to, well, basically anyone with a little technical know-how and then tried to keep the whole thing silent with an enormously insufficient "fix."

Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.

The reporting indicates that this exposure included customer information such as their user IDs, group memberships, workout information, age, gender, weight, and more. You know, probably not the sort of thing customers that set their profiles to private while trying to exercise and/or lose weight would want exposed to anyone that wanted to take a look. The APIs apparently required no authentication. When Pen Test Partners reached out to the company and informed them of all of this, the company immediately acknowledged the information... and then did nothing for two weeks.

Two weeks later, the Peloton rolled out a half-fix without informing anyone.

Rather than providing the user data with no authentication required at all, the APIs made the data available only to those who had an account. The change was better than nothing, but it still let anyone who subscribed to the online service obtain private details of any other subscriber. When Pen Test Partners informed Peloton of the inadequate fix, they say they got no response. Pen Test Partners researcher Ken Munro said he went as far as looking up company executives on LinkedIn. The researchers said the fix came only after TechCrunch reporter Zack Whittaker, who first reported the leak, inquired about it.

"I was pretty pissed by this point, but figured it was worth one last shot before dropping an 0-day on Peloton users," Munro told me. "I asked Zack W to hit up their press office. That had a miraculous effect – within hours I had an email from their new CISO, who was new in post and had investigated, found their rather weak response and had a plan to fix the bugs."

This doubling up of a callous response to the physical and virtual safety of its own customers is a horrible look for Peloton. Again, with the exception of a possibly ill-conceived advertisement campaign a few years back, this company is an absolute media darling with a fair amount of good will built up for itself. Simply by not taking its customer's safety seriously, that good will seems to be pretty seriously at risk.

And, it's worth noting, breaches and exposures like this almost always turn out to be more serious than first reported. Maybe that won't be the case this time. Or maybe Peloton's bad time is about to get even worse.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: api, data leak, recall
Companies: peloton


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 6 May 2021 @ 6:30pm

    '... They're still paying us right? What's the problem?'

    Informed by dozens of people that their treadmills can be seriously dangerous to children and pets, with one kid left with lifelong brain-damage and another dead and they blame the victims by claiming that if people just heed the safety warnings their stuff is perfectly safe. Informed that their digital security might as well be non-existent they shrug it off for two weeks only to roll out a mediocre 'fix', and only decide to get serious when security researchers tell them they'll be talking to the press next...

    Oh yeah, this is definitely a company that puts it's customers first and foremost and one that absolutely deserves trust and support from the public.

    link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
    icon
    gsmimachine (profile), 7 May 2021 @ 12:06am

    paper plate making machine in kolkata

    Paper Plate Making Machine In Kolkata is the important equipment for paper plate production. It is mainly used to produce paper plate.
    https://www.gsmimachine.com/

    link to this | view in thread ]

  3. icon
    Bloof (profile), 7 May 2021 @ 1:29am

    Treadmills were originally used as a torture device in Victorian prisons, so it shouldn't shock people they've started maiming people. Speaking of harming people, Peloton has been quietly lobbying ti get state usury laws struck down to make it easier for them to sell their absurdly expensive torture equipment without any consideration for all the loansharks and payday lenders it would make life easier for. What a time to be alive!

    link to this | view in thread ]

  4. identicon
    Bobvious, 7 May 2021 @ 3:45am

    I wondered how Peloton would spin this

    When first informed of the lethal outcomes, the company axle defensive about it and wheels out some trite response and only ups the pace after Zak W spoke. Their data exposure response was a slow leak patch which left people deflated initially. I guess this is what happens when the executives have a pumped-up sense of their own importance.

    link to this | view in thread ]

  5. identicon
    Bobvious, 7 May 2021 @ 3:50am

    Treadmill

    link to this | view in thread ]

  6. icon
    techflaws (profile), 7 May 2021 @ 4:03am

    Again, with the exception of a possibly ill-conceived
    advertisement campaign a few years back, this company is an
    absolute media darling with a fair amount of good will built up for
    itself.

    Oh really? I thought they'd became widely laughed at for the outrageous pricing on their bikes but okay, there's also people who bought a Juicero so what do I know...

    link to this | view in thread ]

  7. icon
    Bloof (profile), 7 May 2021 @ 4:19am

    Re:

    They were a media darling in the sense that they spend hundreds of millions of dollars on advertising so weren't as widely ridiculed as an exercise bike company that values itself in the billions probably should be.

    link to this | view in thread ]

  8. icon
    That Anonymous Coward (profile), 7 May 2021 @ 4:29am

    What do a few corpses, maimed children & pets matter?
    SHAREHOLDER VALUE!!!!!!!!!

    I look forward to some government agency getting a hold of the docs about the development, I personally wouldn't be shocked to learn that earlier designs had a $1 part that kept things from being sucked under but a dollar saved is a bonus earned!

    link to this | view in thread ]

  9. icon
    Dark Helmet (profile), 7 May 2021 @ 8:02am

    Re: Re:

    They are/were also a media darling specifically when it came to the reception the company has received in many corners of the corporate finance and trading market world. I can't tell you how full my Twitter account is with knowledgeable folks wondering why people were buying crypto when they could invest in Peloton instead....

    link to this | view in thread ]

  10. icon
    Bloof (profile), 7 May 2021 @ 8:09am

    Re: Re: Re:

    If an overpriced IOT bike company and online chuck-e-cheese tokens are seen as good investments, the next global financial collapse is going to be brutal

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 7 May 2021 @ 9:47am

    Re: '... They're still paying us right? What's the problem?'

    Is their treadmill inherently more dangerous or lacking of common safety features that other treadmills have?

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 7 May 2021 @ 10:42am

    Re: Re: '... They're still paying us right? What's the problem?'

    That IS the question.

    For comparison, commercial exercise places are noted for a lack of toddlers running around, let alone unsupervised for a minute. The safety of devices in that environment is essentially untested.

    And don't underestimate the ability of a child to get around all the safety methods you have installed. They can and will plug things back in, drag chairs or tables over to turn the on switch back on, etc. Witness, for instance, the children who have come to grief, after having watched their parents open the gun safe.

    link to this | view in thread ]

  13. icon
    That One Guy (profile), 7 May 2021 @ 2:53pm

    Re: Re: '... They're still paying us right? What's the problem?'

    Given the CPSC(Consumer Product Safety Commission, a government agency) was willing to go so far as to tell people not to use Peloton's treadmills I suspect that either they were notably worse on safety features, or they lacked safety features that the change in environment(gym vs home use) should have warranted being added.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 7 May 2021 @ 5:33pm

    Re: Re: '... They're still paying us right? What's the problem?'

    Is their treadmill inherently more dangerous or lacking of common safety features that other treadmills have?

    Yes. In most other treadmills, the bottom part of the belt is concealed (i.e., the part returning from the back to the front). The Peloton has no cover there, making it effectively a double-sided treadmill. Anything between the floor and belt can get sucked under, then pulled all the way to the front of the treadmill.

    Often, there's also a dead-man switch (with a cord to attach to oneself) and/or a weight sensor, either of which will stop the belt if nobody's on it. You know, like if they fell off and they're under it now, or they've run to get help for someone. The video shows the Peloton still running, with a kid being sucked under and nobody on top. It'd probably be a good idea to put an infrared/laser beam near the back too, if they don't already.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 7 May 2021 @ 5:36pm

    Re:

    Treadmills were originally used as a torture device in Victorian prisons

    Yeah, but just to exhaust people. Even the Victorian torturers didn't think of crushing them under the machinery.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.