Shares of home-exercise giant Peloton are falling today, off some 13.6% as of the time of writing. This comes after the company announced a recall of its treadmill product, and TechCrunch reported that the company failed to fix a security issue regarding user data.
The value of Peloton shares soared during the pandemic, as the company’s product found itself in secular updraft driven by a move to working, and working out, from home in the face of COVID-19’s spread. Worth around $30 per share at the start of 2020, Peloton’s stock price shot more than $150 per share by the end of the year.
Today, after losing more than $13 per share in value, Peloton equity is worth just $83.50 per unit.
The company’s decision to recall its “Tread+” and “Tread” treadmills comes with a warning that those who had bought the devices should “immediately stop using it and contact Peloton for a full refund or other qualified remedy.” The decision to stop selling the devices, and finance a recall of all units comes after a child died after an incident involving one of the treadmills. Other injuries have been reported.
The American Consumer Product Safety Commission, or CPSC, wrote that accepted the recall and sale-cessation decision, adding that the agreement came after “weeks of intense negotiation and effort.” The CPSC had warned consumers earlier this month about “the danger of popular Peloton Tread+ exercise machine after multiple incidents of small children and a pet being injured beneath the machines.”
Peloton fired back at the time saying that it was “troubled by the [CPSC’s] unilateral press release about the Peloton Tread+ because it is inaccurate and misleading.” The company added that there was “no reason to stop using the Tread+, as long as all warnings and safety instructions are followed.”
Whoops.
The company’s backtrack is not only incredibly embarrassing from a public perception perspective — Peloton got into a scrap with the CPSC about whether or not it was trying to impede its investigation, which was a very bad look — but perhaps even more destructive to its brand than making the same decision earlier would have proved.
But for Peloton, the day’s bad news was hardly monotopical. Instead, TechCrunch reported this morning that “Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it.” As we reported, given the known high-profile politicians who are Peloton users, this is more than a mere consumer data-breach matter.
Even worse, Master had told Peloton about the matter:
Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.
But that deadline came and went, the bug wasn’t fixed, and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again.
Between the death of a child, a failed attempt to attack critics, a massive recall, the cessation of sales of a product line, and a self-induced privacy fiasco, it’s a bad day for Peloton. Not that I won’t ride my own Peloton later today, I’ll just do so while shaking my fist at the corporate overloads who pay the instructors that actually make their entire business function.