Peloton API Exposed User Data, Even for Private Accounts Photo: Scott Heins/Stringer (Getty Images) Peloton’s had a rough go in the news cycle lately, and not helping matters is the fact that its leaky API allowed any hacker to obtain any user’s account data—even if that user had set their profile to private. Advertisement The vulnerability, which was discovered by security research firm Pen Test Partners, allowed requests go through for Peloton user account data without checking to make sure the request was authenticated. The API itself is the bit of software that allows the Peloton hardware to communicate with the company’s servers that store user data. As a result, the exposed API could let anyone with a bit of know-how access any Peloton user’s age, gender, city, weight, workout stats, and birthday. Yikes.