Between recalling treadmills and leaking data, Peloton's had a very bad day

After downplaying a kid literally dying on one of its treadmills, the at-home gym company is finally taking some responsibility.

Until last month, Peloton’s main woes mainly came from shipping delays and the occasional, um, attempted QAnon insurrectionist infiltration. But alas, those halcyon days came to a screeching, bloody halt a couple of weeks ago after the U.S. Consumer Product Safety Commission released horrific footage via Twitter of a Peloton treadmill literally sucking a toddler underneath its 455-pound frame.

Since then there have been around 70 reports of injuries and malfunctions, one of which resulted in the death of a six-year-old child, with authorities advising Peloton users to immediately stop using their Tread and Tread+ devices.

Instead of issuing a heartfelt apology and immediate recall, Peloton’s PR response essentially boiled down to “Treadmills are dangerous, people should be more careful,” (our words, not theirs) while even going so far as to claim the CPSC’s warnings were “inaccurate and misleading” (their words, not ours).

Now, weeks later, the company appears to have finally come to its senses via a formal acknowledgment of its products’ dangers while also offering a complete buyback of the Tread and Tread+. To add to its woes, news also broke today that its API could (until recently) let virtually anyone access Peloton users’ private data. Now that’s what we call a bad day.

First, return that damn treadmill — After Peloton CEO John Foley acknowledged his company’s initial response was “a mistake,” he went on to offer a full refund to anyone who wishes to return their Tread or Tread+ (in total, over 131,000 units have been distributed in the U.S. and Canada). Those wishing to rid their homes of their pricey maim machines have until November 6, 2022, to receive a full refund, although Peloton will reportedly offer an unspecified partial amount for anyone opting to initiate a return after the deadline.

But really, for a treadmill that now includes the warning “Adult users, children, pets and objects can be pulled underneath the rear of the treadmill, posing a risk of injury or death,” that’s sort of the least the company could do.

Second, don’t expect your data to be private — Once you’ve returned the treadmill, you might want to also look into just washing your hands of Peloton altogether if having your personal fitness data out there isn’t something you’re comfortable with. Earlier today, TechCrunch reported a massive API flaw until recently allowed anyone with the know-how to make “unauthenticated requests... for user account data without it checking to make sure the person was allowed to request it.”

Information like someone’s “age, gender, city, weight, [and] workout statistics” could be easily accessed, and if a person’s birthdate is supplied, additional information could be acquired even if a profile was set to private. That may not matter to you, but if it does, we’re sorry to report your data may already have been compromised.

Another slow response — Peloton reportedly didn’t respond to an initial notification of the flaw from a security researcher at Pen Test Partners, even after a 90-day deadline to address the issue. Instead, the home fitness giant only recently owned up to the security flaw after follow-ups from TechCrunch, assuring it the bug has since been addressed. While that’s all well and good, there doesn’t appear to be any specifics on when Peloton actually got around to patching its API, which we don’t find comforting... and investors don’t appear to either. Peloton’s stock is currently down about 14% at the time of writing.