- Peloton has suffered a data breach.
- A handful of APIs the company uses previously could have been queried by anyone—authenticated and unauthenticated users alike.
- As for what an attacker could scoop up, the available data included:
- User IDs
- Instructor IDs
- Group Membership
- Location
- Workout stats
- Gender and age
- If a person was in the studio or not
- There’s not much an attacker can do if they know how much you work out. But it is possible that they could use this information (standalone or in combination with other information provided by other data breaches) to send you a clever phishing attempt.
- While Peloton claims that it was taking action ever since the initial vulnerability submission, it’s just oddly coincidental that the vulnerabilities remained exploitable—scrapeable, really—until one of the biggest publications in tech exposed the problem.
– David Murphy | May 10, 2021