Peloton is having a pretty bad week. First, it was forced to recall its treadmill series due to serious safety concerns and issued an apology for failing to take prompt action. Now it has come to light that the company also failed to protect user data.

This security failure was highlighted by TechCrunch, which obtained information that the journalist's own Peloton account was set to private. Security researchers were able to access Peloton's API, the system that allows apps and devices to connect to Peloton's servers; the API was able to present this information without authentication.

When security researchers informed the company that the API was spewing personal information all over the Internet, the company restricted the devices to connect only with requests that provided a valid Peloton account. Nevertheless, anyone who was prepared to pay for an account still had access to the data.

Peloton's system maintains information on users' age, gender, weight, and workout statistics. After essentially ignoring reports from security researchers, the loophole was closed only when TechCrunch reached out for comment; Peloton's customers included President Joe Biden, who had additional concerns about the API leak. [Pen Test Partners, which discovered the API issue, also published its findings, along with screenshots of the API responses. It is worth noting that along with personal information, the Amazon AWS instance retains profile photos of uploaded members. It appears that the photos also use the username of the account, which is very easily accessible.

The issue has now been completely fixed and API access is no longer available without authentication or with basic subscriber credentials.

Peloton told TechCrunch, "Going forward, we will work with the security research community to do more to respond more quickly when vulnerabilities are reported."