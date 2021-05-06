According to a report from TechCrunch, an outdated version of Peloton’s API, the program that enables the company’s bikes and recall treadmills to communicate with its servers, might have revealed private customer profiles. Peloton claims to have over 3 million subscribers and over 1 million connected fitness profiles, so the leak may be massive. Jan Masters, a security researcher at Pen Test Partners, discovered the bug on January 20th and reported it to Peloton, but the company is only now confirming that it has been patched. He also discovered that he could make unauthenticated requests to Peloton’s API for user account data without any verification or confirmation of the privileges. This happened when Biden was inaugurated, and Peloton moved to t...