Peloton Backtracks On Treadmill Safety And Issues A Recall

Photo Credit: Peloton.

Sign up for smart news, insights, and analysis on the biggest financial stories of the day.

Peloton is no stranger to PR disasters (remember that ad?). When it comes to matters of safety, there is no use fighting the tape.

After previously downplaying safety concerns around its treadmills, yesterday Peloton announced voluntary recalls of all of its Tread and Tread+ products.

Don’t Tread On Me

As we covered last month, the U.S. Consumer Product Safety Commission issued a stern warning about Peloton’s Tread+ treadmills after dozens of injuries and one death were reported. Peloton fired back at the time, calling the report “inaccurate and misleading.”

But after the CPSC highlighted the “unusual belt design” on the Tread+ and relayed reports about the machine’s touchscreen loosening and even falling off, the company known for its flagship stationary bike is suddenly backpedaling:

  • Initiating a voluntary recall, Peloton is now advising owners of its Tread and Tread+ treadmill products to stop using them immediately.
  • The recall affects around 125,000 Tread+ machines and 1,050 Tread products in the U.S., and customers are advised to contact Peloton for a full refund or other remedy.

Peloton says it plans to work with the CPSC to develop new industry safety standards for treadmills. CEO John Foley was contrite in a statement, saying, “I want to be clear, Peloton made a mistake in our initial response to the Consumer Product Safety Commission’s request that we recall the Tread+.”

Software Slip-Up

Unfortunately, Peloton’s problems this week aren’t limited to the hardware arena. The company’s API, which allows network communication between Peloton bikes and servers, was recently found to allow unauthenticated requests of user data.

That means anyone on the internet could access a Peloton user’s age, gender, city, weight, and workout stats. Jan Masters, the security researcher who discovered the API bug, reported it to Peloton way back in January, offering the company the typical 90-day window to correct the bug before making the news public.

Spinning Its Wheels: After being mum for months, Peloton this week finally acknowledged it had “addressed the issues”. But it remains unknown whether the API vulnerabilities were already exploited through mass-scraping of account data.

the takeaway

Peloton shares closed down nearly 15%, wiping over $4 billion of its market cap in one day.