Peloton Interactive, Inc., an exercise equipment and media company based in New York declared that its treadmill products are dangerous after a child died and other people were injured while it was operating.

The company is currently recalling all the products as they stated in a joint statement with the US Consumer Product Safety Commission on Wednesday.

Peloton declared again it made a terrible mistake when it didn’t want to recall its treadmills after multiple people were injured and one killed in accidents involving its expensive exercise equipment.

Seeing that the Peloton brand will be serious affected by these incidents, the enterprise intends to work to “get back on the right side of the line with trust and safety.”

Peloton’s recall of both its Tread and Tread+ treadmills began after more than 70 accidents, including the death of one child and 29 other instances where users confirmed physical traumas such as broken bones and cuts, the company, and the CPSC announced Wednesday.

The equipment costs between $2,500 and $4,400 each and clients usually pay an extra monthly fee for streaming exercise classes for users.

Peloton approximated the recalls would cost it $165 million representing almost three times its profits for all of 2020 when Peloton declared a net income of $63.6 million.

John Foley, CEO, and co-founder of the organization spoke after Peloton reported a loss of $8.6 million in the fiscal third quarter ended March 31. It posted revenue of $1.26 billion in the period, exceeding Wall Street expectations of $1.11 billion.

Wall Street, however, offered a decisive thumbs down to the developments, with shares of Peloton falling by $13.48, or 14%, to $83.22 in early afternoon trade.

While we believe Peloton can remedy both Tread issues, we think the recalls likely call into question Peloton’s hardware quality control efforts, and Peloton’s initial refute of the CPSC claims now look misguided.


But there is more. TechCrunch disclosed that the company has a pretty serious cybersecurity leak.

Jan Masters, a Pen Test Partners security specialist, saw he could make unauthenticated requests to Peloton’s API for user account data without it checking to ensure the person was allowed to request it.

Newly patched flaws in Peloton’s bike software may have enabled unapproved users to view private user information including their age, weight, gender, and location, as well as course participants, even if users have the private mode activated.

The researcher reported the incident to the Peloton in January 2020 giving them a 3 months deadline to fix the flaw, the amount of time that cybersecurity specialists give to organizations to repair bugs before everything goes public.

Unfortunately, Peloton decided to ignore the deadline and not fix the bug. All they did was to send back an email admitting receipt of the bug report and restrict access to its API to its users.

When contacted after the deadline expired, the company confirmed that it had fixed the flaw. TechCrunch didn’t make the story public until the vulnerability was fixed in order to avoid being used for the wrong purpose.

Peloton had a bit of a fail in responding to the vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organization.


Frequently asked why it had no reaction at Jan Masters’s bug report, the enterprise declined to respond.

What Is Data Leakage?

GDPR and Data Breach Risks: An Interview with Bogdan Manolea of ApTI

Leave a Reply

Your email address will not be published. Required fields are marked *