Peloton Is Having A Rough Week: Product Safety Recalls And News Of Customer Data Exposure

from the spinning-in-circles dept

Peloton is, as they say, having a rough week. While the company has been something of a pop culture darling for several years, it also got a nice boost from this lovely COVID-19 pandemic we’ve all been suffering through for more than a year now. Still, no company gets through its full lifecycle unscathed and this week has been a week I’m certain the Peloton folks would love to forget. We’ll get started with the less-Techdirt centric part of this, which is that Peloton recently had to recall two of its treadmills after it turns out those treadmills occasionally enjoy eating people, especially very young children.

Peloton has received at least 72 reports of adults, children, pets and/or objects getting dragged under their Tread+ treadmill. In those incidents, 29 children suffered injuries, which included second- and third-degree abrasions, broken bones, and lacerations, the US Consumer Product Safety Commission noted.

In February, a father reported to the CPSC that his 3-year-old son was pulled under a Tread+ and trapped. When the father discovered his son and was able to free him, the toddler was pulseless and not breathing, according to the report. Fortunately, the boy was resuscitated, but he “now has significant brain injury.” The boy had tread marks on his back matching the slats of the Tread+, as well as a neck injury, and petechiae (small blood spots) on his face, presumably from blood flow being cut off.

When Peloton learned of the “unthinkable” death of the 6-year-old in March, Peloton CEO John Foley sent a note to customers noting the “tragic accident” and highlighting safety warnings for its treadmills. The March 18 note cautioned customers to “keep children and pets away from Peloton exercise equipment at all times.”

Those warnings were glaringly insufficient and the CPSC basically told people to stop using the product. In mid-April, Peloton’s CEO informed customers that the company was aware of the CPSC advice, but that the company was not planning to stop selling the treadmills at all. Instead, the company essentially said that if the product warnings were adhered to, there was no problem. It was only this week when the company admitted that this was a mistake in approach and issued a recall for the two treadmills in question. That it should have done so, and subsequently added physical protection to its products to avoid all of this, really should have been painfully obvious once we got to the part where a 3 year old suffered lifelong injuries and treadmarks across his back and another child… you know… died.

But the troubles for the company keep on coming. The most recent news is that security researchers found that Peloton had exposed customer data to, well, basically anyone with a little technical know-how and then tried to keep the whole thing silent with an enormously insufficient “fix.”

Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.

The reporting indicates that this exposure included customer information such as their user IDs, group memberships, workout information, age, gender, weight, and more. You know, probably not the sort of thing customers that set their profiles to private while trying to exercise and/or lose weight would want exposed to anyone that wanted to take a look. The APIs apparently required no authentication. When Pen Test Partners reached out to the company and informed them of all of this, the company immediately acknowledged the information… and then did nothing for two weeks.

Two weeks later, the Peloton rolled out a half-fix without informing anyone.

Rather than providing the user data with no authentication required at all, the APIs made the data available only to those who had an account. The change was better than nothing, but it still let anyone who subscribed to the online service obtain private details of any other subscriber. When Pen Test Partners informed Peloton of the inadequate fix, they say they got no response. Pen Test Partners researcher Ken Munro said he went as far as looking up company executives on LinkedIn. The researchers said the fix came only after TechCrunch reporter Zack Whittaker, who first reported the leak, inquired about it.

“I was pretty pissed by this point, but figured it was worth one last shot before dropping an 0-day on Peloton users,” Munro told me. “I asked Zack W to hit up their press office. That had a miraculous effect – within hours I had an email from their new CISO, who was new in post and had investigated, found their rather weak response and had a plan to fix the bugs.”

This doubling up of a callous response to the physical and virtual safety of its own customers is a horrible look for Peloton. Again, with the exception of a possibly ill-conceived advertisement campaign a few years back, this company is an absolute media darling with a fair amount of good will built up for itself. Simply by not taking its customer’s safety seriously, that good will seems to be pretty seriously at risk.

And, it’s worth noting, breaches and exposures like this almost always turn out to be more serious than first reported. Maybe that won’t be the case this time. Or maybe Peloton’s bad time is about to get even worse.

Filed Under: , ,
Companies: peloton

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Peloton Is Having A Rough Week: Product Safety Recalls And News Of Customer Data Exposure”

Subscribe: RSS Leave a comment
15 Comments
That One Guy (profile) says:

'... They're still paying us right? What's the problem?'

Informed by dozens of people that their treadmills can be seriously dangerous to children and pets, with one kid left with lifelong brain-damage and another dead and they blame the victims by claiming that if people just heed the safety warnings their stuff is perfectly safe. Informed that their digital security might as well be non-existent they shrug it off for two weeks only to roll out a mediocre ‘fix’, and only decide to get serious when security researchers tell them they’ll be talking to the press next…

Oh yeah, this is definitely a company that puts it’s customers first and foremost and one that absolutely deserves trust and support from the public.

Anonymous Coward says:

Re: Re: '... They're still paying us right? What's the problem?'

That IS the question.

For comparison, commercial exercise places are noted for a lack of toddlers running around, let alone unsupervised for a minute. The safety of devices in that environment is essentially untested.

And don’t underestimate the ability of a child to get around all the safety methods you have installed. They can and will plug things back in, drag chairs or tables over to turn the on switch back on, etc. Witness, for instance, the children who have come to grief, after having watched their parents open the gun safe.

That One Guy (profile) says:

Re: Re: '... They're still paying us right? What's the problem?'

Given the CPSC(Consumer Product Safety Commission, a government agency) was willing to go so far as to tell people not to use Peloton’s treadmills I suspect that either they were notably worse on safety features, or they lacked safety features that the change in environment(gym vs home use) should have warranted being added.

Anonymous Coward says:

Re: Re: '... They're still paying us right? What's the problem?'

Is their treadmill inherently more dangerous or lacking of common safety features that other treadmills have?

Yes. In most other treadmills, the bottom part of the belt is concealed (i.e., the part returning from the back to the front). The Peloton has no cover there, making it effectively a double-sided treadmill. Anything between the floor and belt can get sucked under, then pulled all the way to the front of the treadmill.

Often, there’s also a dead-man switch (with a cord to attach to oneself) and/or a weight sensor, either of which will stop the belt if nobody’s on it. You know, like if they fell off and they’re under it now, or they’ve run to get help for someone. The video shows the Peloton still running, with a kid being sucked under and nobody on top. It’d probably be a good idea to put an infrared/laser beam near the back too, if they don’t already.

This comment has been flagged by the community. Click here to show it.

Bloof (profile) says:

Treadmills were originally used as a torture device in Victorian prisons, so it shouldn’t shock people they’ve started maiming people. Speaking of harming people, Peloton has been quietly lobbying ti get state usury laws struck down to make it easier for them to sell their absurdly expensive torture equipment without any consideration for all the loansharks and payday lenders it would make life easier for. What a time to be alive!

Bobvious says:

I wondered how Peloton would spin this

When first informed of the lethal outcomes, the company axle defensive about it and wheels out some trite response and only ups the pace after Zak W spoke. Their data exposure response was a slow leak patch which left people deflated initially. I guess this is what happens when the executives have a pumped-up sense of their own importance.

techflaws (profile) says:

Again, with the exception of a possibly ill-conceived
advertisement campaign a few years back, this company is an
absolute media darling with a fair amount of good will built up for
itself.

Oh really? I thought they’d became widely laughed at for the outrageous pricing on their bikes but okay, there’s also people who bought a Juicero so what do I know…

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...