Peloton Data Hack Is a Reminder to Lie Whenever You Can
Peloton has a data breach. Good news? Information about your exercise habits that later became available to outsiders is not so terrible. Peloton’s belated response is far more troubling, however.
As Pen Test Partners revealed in a recent blog post, several of the APIs that the company has used in the past could be requested by anyone – both authenticated and unauthenticated users. The company later changed that to only allow the former, but that wasn’t much of a defense given that anyone interested in the data could simply register for a free Peloton account.
As for what an attacker could hijack, the data available included:
- User ID
- Instructor ID
- Group Membership
- Location
- Training statistics
- Gender and age
- Was there a man in the studio or not
This is annoying, but not terrible. There is little an attacker can do if he knows how much you exercise. But it is entirely possible that they could use this information (alone or in combination with other information provided by other data breaches) to send you a smart phishing attempt.
It is doubly worrisome how long it took Peloton to respond to messages about these (usually open) APIs. As Pen Test Partners notes:
- 20 – th January 2021: open privately Peloton, in accordance with their [Disclosure Vulnerability Program].
- 20 – th January 2021: receipt acknowledged. This is the last thing we heard from Peloton.
- January 22, 2021 : We requested updates and offered help in replicating the vulnerability. No answer.
- 2 – th February 2021: unauthenticated API endpoint problem silently and partially solved – the user data is now only available to all authorized users of the peloton. Eh …?
- 2 – th February 2021: we were asked to upgrade, given the silence correct. No answer.
- After 90 days, we asked a trusted journalist to speak to Peloton on our behalf.
The journalist mentioned was Zach Whittaker of TechCrunch, who ended up publishing an article about Peloton that finally grabbed the company’s attention and, more importantly, influenced change.
As a security / privacy enthusiast, it’s frustrating for me to see things get to this point. While Peloton claims to have taken action since the vulnerability was first reported, it is an odd coincidence that the vulnerabilities remained exploitable – in fact, cleanable – until one of the largest technology publications uncovered the issue. Peloton has yet to confirm or deny the fact that the data was not collected en masse by the outside, which is even more annoying.
Should this whole episode make you throw your Peloton bike in the bin? No. This is expensive equipment. However, I will keep a close eye on news of any future Peloton data breaches; you may have to act on them yourself rather than wait for Peloton to take appropriate steps to disclose (and correct) the information. You might also consider hiding your details where possible. If it’s not necessary for cycling (or jogging), then Peloton doesn’t need it – give them a fake birthday, address, name, etc. Your competing exercise friends won’t mind.