Hump day is not going well for Peloton this week. After a successful annual ‘Homecoming’ event last weekend where they made a slew of product announcements, the company announced today they’re recalling Tread & Tread+ treadmills, due to safety issues (which led to the death of one child). This, following weeks of the company resisting calls from the CPSC (Consumer Products Safety Commission) to issue a recall of the Peloton Tread/Tread+, and of course, following the incident in March that led to the death of a 6-year old child, after they were pulled under the treadmill.
However, Peloton’s bad day actually started prior to that, before most in the company’s headquarters in NYC even woke up. A story ran on TechCrunch, which outlined how security researchers had stumbled onto a bug that allowed some activity and profile details to be seen for private profiles. More important to the story though was honestly the fact that it took researchers multiple attempts and eventually involving a media outlet to get Peloton to pay attention to the security researcher’s claims. The actual data leak itself though would probably be classified as relatively minor, in the grand scheme of leaks (more on that in a second).
Let’s just do a quick round-up of both of these. However, for those that are skimming – I’d strongly encourage you to understand the treadmill safety issue here, because frankly, this doesn’t just impact Peloton treadmills.
Peloton Treadmill Recall:
Peloton currently offers two treadmills, though, they were both named the same thing at one point. The two models are:
Less expensive – $2,495: Peloton Tread
More expensive and bigger – $4,295: Peloton Tread+
However, up until last year, the Peloton Tread+ was the Tread, and then they offered a less expensive version, and they renamed the Tread to the Tread+. It’d be like if Apple decided to change the name of your product after you bought it, giving it a +/Plus. It’s confusing.
And in fact, adding to the confusion is that there are actually two different safety issues. For the Tread+ (the bigger one), the main safety concern is that pets/children/objects can be pulled under the treadmill if not properly supervised. The CPSC released a video showing how exactly this occurs with a toddler. The video is hard to watch (the child eventually walks away), but I think it’s super important anyone with a treadmill watch it, as this isn’t limited to just Peloton treadmills:
Again, while Peloton is getting all the attention here, this isn’t limited to Peloton treadmills. The main issue is the gap at the base of the treadmill. And just about any belt or slat system will pull objects under it, especially given the forces and weights these machines have. For example, my treadmill (at the DC Rainmaker Cave) isn’t much different in height or gap, and would likely pull things under it too. Here’s an older image I found in my files of it, showing the gap:
However, some treadmills have bars or covers in place to prevent this. For example, just randomly pulling up Woodway’s main treadmill page, you’ll see how these specific models have bars in place that prevent most objects from being pulled fully under the treadmill. And that’s the key piece here. The main goal isn’t necessarily to prevent belt-burn or such, but rather, to prevent the child/pet from being *pulled under* the treadmill.
Versus below, for the Peloton Tread+, you can see there’s no block in place, yet there’s still enough of a gap to then have the belt/slat system pull the object with it, not just to an initial bar under the treadmill about 12” back (like mine above), but likely significantly further along because there’s no secondary blocker that some units have.
Meanwhile, for the Peloton Tread (the cheaper one), somehow the display can fall off and end up injuring the person on the treadmill. How this occurs is relatively mind-boggling to me, but obviously, it’s happened. Whether this is an assembly quality issue or an engineering issue is somewhat beside the point, it’s apparently happening. Here’s the exact wording from Peloton on this one:
“Peloton, in cooperation with the U.S. Consumer Product Safety Commission, is recalling the Tread because the touchscreen console on the Tread can detach and fall, posing a risk of injury to consumers.”
Like, that’s literally the definition of ‘the front fell off’.
On the bright side, very few Peloton Tread (non+) units have been sold – at least in the US. Peloton says 1,050 Peloton Tread units were sold in the US, as they were only on a small pilot program there within certain US cities. Instead, those units were largely sold in the UK & Canada. Peloton has not sold any treadmills in Germany (their other market). Peloton has ceased sales globally on all treadmills. They’re also working on a fix to keep the front from falling off:
“Peloton is implementing a voluntary recall for the Tread in cooperation with the CPSC. We are already working to develop a repair for your Tread touchscreen console and hope that this CPSC-approved repair will be available soon. Until this repair is available, Tread owners can either wait for the repair to be approved in the coming weeks, or they can request a full refund.”
Meanwhile, for the Peloton Tread+, there were 125,000 of those sold in the US. For those folks, Peloton is essentially giving two options:
Option 1: A full refund. Any Peloton Tread+ owner can request a full refund, until November 6th, 2022.
Option 2: Peloton will send someone out to relocate your treadmill to a more safe (non-kid) location in your home. Remember, this unit is about 500 pounds, so it’s not easily moved by yourself.
Regardless of which option someone chooses, Peloton is also going to roll out a software PIN code. This is in addition to the hardware key that’s required to operate the treadmill. Meaning, ideally, someone would take the key out of the treadmill and put it in a safe place – which prevents the treadmill from operating. But a software pin is a much better solution. The treadmill will automatically lock after use, and then require the PIN code to operate it again. This protects against scenarios where perhaps a parent has to abruptly leave the treadmill mid-workout (to perhaps settle a multi-toddler dispute), and then doesn’t get back to the unit to remember to take the key out.
Peloton says they are working on a hardware modification to the Tread+ as well:
“We are working to develop additional modifications to the recalled Tread+ that will address the hazard of adult users, children and pets being pulled below the Treadmill and suffering serious injury or death. These modifications will be incorporated presented to the CPSC and if approved, will be introduced into the product before Peloton resumes sales. We do not have any additional information about the modifications or any proposed timeline right now.”
Undoubtedly, this will be some form of bar or cover over the back area. But in looking at the existing treadmill back area, this isn’t going to be an easy fix to roll-out, on a product that’s designed to be as sleek as possible. Never mind having to roll this out to 125,000 units (or a portion thereof).
Peloton Data Security Leak:
Oh no, we’re not done yet today. We’re only halfway there.
Earlier in the day, TechCrunch reported on how a security researcher was able to access profile information for members that were private, as well as access profile information for public members without authorization. The researchers have detailed their work here.
The details that were accessible were: User age, gender, city, weight, workout stats, and whether or not it was the user’s birthday (today).
These are essentially the same stats that are viewable from a user’s profile page, split into those that are seen within a workout, and those that are seen outside a workout. For example, above you can see my Peloton profile page. You’ll see my username (dcrainmaker), my city that I’ve entered manually (Amsterdam), plus all my workouts. Do note that the city is not your actual billing address, it’s just what you put in that public field. Some people don’t put anything, some put random things, like filling out a MySpace profile, it’s not super concrete.
The age and gender are the same as displayed when you tap on someone’s profile from the normal Peloton leaderboard. Here’s an example of a random person I just tapped on right now from a leaderboard of a class this very second:
You can see that the person has specified themselves as a female, under 20, and living in Toronto. And in this pretty rare case, they also listed what is presumably their full name. Or, it might just be a pseudonym and they might be a 45-year-old dude in Germany. Who knows. Here’s an example of a pile of names from a leaderboard this past weekend:
You’ll note though that one’s actual name isn’t displayed anywhere, nor was their actual location, nor anything else beyond what is normally public information. Except whether or not it was that user’s birthday or not today. The other detail that’s somewhat irrelevant right now, was whether or not the person was taking the class in a Peloton studio, or at home. Given all Peloton studios have been closed for a year, that doesn’t matter too much today.
However – the main gap here is that this was *ALSO* accessible for private profiles, using the Peloton API (or, sorta-API, it’s not really a truly official API).
But that’s also ignoring the fact that it took more than 90 days for Peloton to respond to the security issues, and even then, they were only fixed after TechCrunch reached out to Peloton’s press office, which got the ball moving. According to TechCrunch and the security researchers, it sounds as if the main security lead at Peloton was new to the position and things were still getting put in place.
Undoubtedly, it also sounds like Peloton didn’t have in place procedures to raise security-focused bugs from customer service/support channels to the right internal teams. That’s an important piece for software and hardware companies to have in place, to train support staff to understand when a security researcher (or anyone else) is trying to disclose a security vulnerability. Else, it can get lost in the noise of typical tech support cases.
Peloton provided the following statement to TechCrunch:
“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.”
Again, it’s never good to disclose profiles that are set to private, as public. But, in this instance, the severity of the data here is more minor than most data leaks we tend to see. Certainly far less critical than if one’s Strava profile were public when otherwise set to private, as that has very specific details about exactly where someone runs/rides, and likely their exact address information (no, Strava hasn’t had a data leak of that sort yet…and no, people forgetting to add privacy zones doesn’t count. Also, yes, dear god, make a privacy zone around your home, and don’t start your runs/rides from your home – start them a few hundred meters away).
Of course, all of this Peloton’s Bad Day™ will likely be forgotten tomorrow, as conveniently it’s their quarterly earnings call. Undoubtedly they’re going to announce another blockbuster quarter – probably selling more bikes than ever before, with higher subscribers than ever before. Make no mistake, there’s a reason this is announced today, and not tomorrow. By tomorrow, it’ll literally be yesterday’s news.
With that – thanks for reading!
FOUND THIS POST USEFUL? SUPPORT THE SITE!
Hopefully, you found this post useful. The website is really a labor of love, so please consider becoming a DC RAINMAKER Supporter. This gets you an ad-free experience, and access to our (mostly) bi-monthly behind-the-scenes video series of “Shed Talkin’”.
Support DCRainMaker - Shop on Amazon
Otherwise, perhaps consider using the below link if shopping on Amazon. As an Amazon Associate, I earn from qualifying purchases. It doesn’t cost you anything extra, but your purchases help support this website a lot. It could simply be buying toilet paper, or this pizza oven we use and love.
A bit off topic, but anyone know how to link to a Strava account if I once had a peloton profile that was linked, but that I deleted and now can’t recover, but seems to linger somewhere in the syste, Anytime I try to link my new profile, I get an error saying my Strava account is already linked to a Peloton user. Revoking access from the Strava side, factory reset of Peloton haven’t helped and Peloton customer support appears clueless.
Thanks.
Are you on a Peloton Bike, or just the app?
Peloton requires the initial link be established on a physical Peloton Bike (or Tread). Any bike/Tread, anywhere. Just once.
So in pre-pandemic years, you could go to a Peloton Studio even and do it there, a hotel gym, a Peloton showroom, friends house, etc… Once you did it once, you were good to go forever.
On the newer Bike Plus. The original profile (which I now cannot recover since I don’t remember the e-mail and each one I could think of and put into their forgot password link appears to be for a different profile) was also created on the same bike. The new profile which I use now is also on the same bike. Have tried wiping the cache and doing a factory reset of the bike, but there appears to be a ghost in the machine. Peloton customer service took half an hour to just understand the scenario then said they had created a ticket but I have no indication anyone is doing anything about this. The internet is full of people reporting similar sounding issues though the scenarios are usually slightly different from mine. None that I have found talk about this “lost profile” scenario. And peloton appears to have no workflow anyway to completely erase a profile from existence. From the bike you can remove a profile, which I did when I couldn’t log into it, but it still exists somewhere, either in the cloud or somewhere on your bike. I can even find it by userid (which is different from e-mail) because it was a public profile, using the Find Members link on the Peloton website. Highly frustrating.
Small typo, sod instead of sold
Thanks!
I’ve been wondering about my Woodway Desmo/4Front’s ability to suck me under. (It’s a Woodway Desmo refurbished as a 4Front with the new display.) I don’t think it has any kind of bar underneath the rear, and I was worried about potential #suckunder since before the Peloton incidents were reported.
It seems like a risk if you fall and get rolled off the back and get a limb on the ground at the rear. I’ve never fallen, but it could happen without too much of a fluke. I’m the only person on the planet to use the emergency-stop magnet clip, but I think the belt could still spin for a second or two and suck you under.
Treadmill fail video below. Most of these people had it coming, but some of them just trip or make understandable mistakes:
link to youtube.com
Except their stock price dropped almost 15% today on this news.
After seeing the video of the kid being pulled under, my thought is that the belt on my old treadmill would slip before the deck would actually leave the ground as in that video. With a belt made of slats, does the peloton tread+ have two sprockets instead of the standard smooth drum driving the belt or a non-round drum (hexagon cross shape) that prevents slipping?
Typo in paragraph 2, work/woke
hahahahah..brilliant! that will teach those woke wankers at Peloton with their work tv ads.
The problem is a pattern by Peloton of 1) ignoring the problem, 2) then lying about the problem 3) blaming others before doing anything. But yet people will defend them.
Couldn’t the hardware issue be fairly simply fixed by providing some kind of sled style metal base that the Peloton could simply sit on top of?
It would then wrap around the end of the treadmill covering the void?
No need for super engineering, just put a shoe on it.
True, as long as it was physically attached to the Tread, which, I presume could be accomplished via replacement of the rear feet, that I also presume probably attach merely via screws or such.
I wonder if other treadmill manufacturers will do anything to prevent things being pulled under the belt. Peloton got caught, but as Ray showed, it’s a relatively common issue
Peloton didn’t get caught so much as they are rich enough that it’s worth a lawsuit. They were always going to be dragged on stage bleeding for something and I’m sure there are still plenty out there trying to think of other issues to pull them on. They’ve been lucky this time that it’s an issue affecting most treadmills and that ultimately it is user error. Sure, they can add safety features like a PIN, but kids are very capable of watching and learning a PIN number. Every time someone invents an idiot proof system, idiots step up their game. There is no getting away from the fact that a treadmill is a big powerful motor attached to an abrasive belt, and if you let children near it unattended (and video doesn’t count, I can’t believe I have to say that!) then there is no safety feature that will protect them.
Yeah, I suspect we’ll look back in those in 3-5 months and most of the major treadmill manufacturers will have been caught up in it in some way.
By now, plenty of lawyers are sharpening their pencils, and also, probably plenty of parents that perhaps never reported incidents to the CPSC for other treadmills (or even Peloton), are sending e-mails.
Which isn’t to say treadmills are scary monsters, it’s just that to date treadmill companies have never really said *HOW* these incidents occur. It was always a leave it up to your imagination on how a kid could get hurt. My imagination assumed a kid plays on the belt and flies off the back (which, is true, and is how most accidents happen). But it never crossed my mind to get sucked back under it. And, as a bit of a hotel gym treadmill aficionado, I can say that a lot of treadmills are exactly 0% different than Peloton’s here.
You have repeated this a bunch of times sbiut “other treadmills”. Do you have any facts to back it up? Or will you continue to defend Peloton.
I’m not defending Peloton, I’m simply pointing out this isn’t a unique problem to Peloton. I’ve pointed out numerous times I don’t understand why Peloton pushed back so hard on considering changes.
As for other examples, there’s a good post on the Slowtwitch forum of a person noting the exact same thing happened with them and an exercise ball (which is what’s shown in the video) and their Nordic Track.
And in all of 5 seconds of searching, here’s a perfect example of a belt-driven treadmill, pulling an exercise ball under the treadmill – just like Peloton’s did with the child. And in this case, with a teenager standing on the treadmill no less: link to youtube.com
Again, this isn’t just a Peloton issue, in this Wired piece, I explain a bit more on why Peloton is likely being poked at first here: link to wired.com
I think the reason they pushed back so hard was to avoid a humongous recall in their primary market for something that’s never been an issue in the market before despite it being a well proven design. I completely agree with you that they should have considered design changes just because more safe is obviously better and they have to iterate and improve for the next model anyway. I don’t agree with the huge recall one bit, and I promise you that if they add a bar to the back the next lawsuit will be a broken hand between the bar and machine, or lacerations if the bar is too close. Someone will get injured using the new design, that is a certainty.
We might very well see an arms race develop which ultimately leads to a camera using AI to detect kids which disables the machine entirely in their presence…then a parent will sue because their device doesn’t work while kids are in the room ;)
Sometimes I worry that we’ll end up banning all forms of exercise just in case someone stubs their toe
From your comments, it’s clear you don’t have kids. Toddlers move & learn fast & parents get distracted. Depending upon furniture & outlet configuration, unplugging/plugging in isn’t always easy to do.
In watching the beginning of that video for the first time, I would have thought that ball was waaay to large to get sucked under & I can’t help but watch the end of that video (over & over again – am I bad person?) with the sound ‘on’ in my head, “Mmm, child tasty. Nomnomnom!” as that 500 pound machine literally picks itself up & moves to ‘eat’ that kid. If I didn’t see the video I would NEVER have believed that could happen. This kid walked away but another died because the machine is powerful enough to move itself under the right (wrong?) circumstances.
“unplugging/plugging in isn’t always easy to do”
Taking the safety pin out is certainly always easy, however. And this applies to *any* treadmill.
“unplugging/plugging in isn’t always easy to do. ”
Good parenting isn’t about things being easy, it’s about protecting your children first and foremost every single day for the rest of your life. As I said, this is effectively a belt sander with a huge motor, there is no safety device that will ever make it safe to leave with a child alone if there is a chance they could switch it on. If you can’t be arsed to make it safe, put it in a locked room they don’t have access to. If you don’t have a room, run outdoors. Your children have to come first every single time.
Not every house has a spare bedroom, & even if they did it may very well be better to put it downstairs where the parent can use it while supervising the child(ren). There were times I was a ‘single parent’ just due to work schedules; there are many others who are full-time single parents, either because of divorce, death, or deployments. I couldn’t run outside & leave the kid home alone & if I was running/riding in the basement or a spare bedroom, I might not realize he woke up early from his nap. Treads aren’t cheap but buying one means someone doesn’t have to pay a babysitter to run outside, possibly in the rain or dark, at a pre-scheduled time. They provide flexibility & convenience, which is something parents need.
There’s also the fact that children grow & can do more than they could one, three, or six months ago. Babies are wonderful because you always find them where you leave them; once they learn to crawl it’s a totally different game & they need constant, eyes-on supervision. Ask how many parents had a kid end up in a bathroom or outside on their own because they didn’t realize said kid learned how to unlock/open a door.
While I don’t disagree with what you said there are practical realities to actually being a parent. I’m not one to scream ‘design defect’ at every little injury but a 500lb object that will pick itself up & move itself to ‘eat’ a kid because a blocker bar didn’t look cool is one that DOES have a design defect that isn’t foreseeable or expected by the average person.
“despite it being a well proven design” – what might be a well proven design for use in a controlled gym environment is not necessarily one when used in a home environment.
Hard to think we had Clarke & Dawe on every week for a few decades, & now Clarke is gone, leaving a trail of jewels like that one. Thanks for the call out.
Yeah that’s a classic Clarke (such a loss) & Dawe almost as good as them describing the European Debt Crisis.
It is not Peloton’s fault if parents are stupid…
On the other hand, parents are fully responsible for their child’s health, safety, legal consequences.
You couldn’t make this up… clicking on your link to the ‘Front Fell Off’ vid…
That’s incredible!
Another child safety related news item today is to do with Apple AirTag button battery safety.
link to abc.net.au
Yeah, though, I have a hard time understanding this one. It’s basically saying ‘if an object is small with a coincell battery, it’s not safe’?
And yet, they still sell scissors I presume…
Will they also do a recall on all coins and only allow paper money?
In that article: “Lithium batteries can easily burn a hole in the oesophagus if swallowed.”
That is incorrect!
Swallowed batteries pass the oesophagus very quickly. If they get stuck somewhere for 2-4-6-8 hours, they first create local necrosis and then perforation. It most likely happens in the stomach-pylorus-duodenum area.
First of all, we do an x-ray image to determine where it is located.
If it is in the stomach, like in picture 1, it is perfect for endoscopic removal.
But when it is going all the way through the gastrointestinal tract, like in picture 2, it will leave the body with defecation without any damage.
It is not the manufacturer’s fault or the packaging if the parents leave it easily reachable for kids and they eat it like candy. Picture 3 with 11pcs…
Why not pull off the market the detergents, cleaning products, etc.?
We had cases of children drinking nail color removal, hair color, or even wood mordant…
Have you ever seen a child swallow a pair of scissors?
It’s not the batteries that are the issue, it’s the unsecured compartment housing the battery that needs to be kiddie proof. Children’s toys should have screws to lock the battery compartment and poisons have lids that are hard to open. Yes life is dangerous for toddlers but this is definitely not a parental supervision issue as you are not going to monitor a child 24/7 and the parent has no idea that the battery has been swallowed until symptoms occur.
In their defence, the Airtags do have a double action cover which is hard for kids to undo. Parents can also choose to fit child safe batteries if they so wish, I’m surprised Apple didn’t specify them given the price point.
link to duracell.co.uk
You will be surprised what kind of objects these little devils can swallow…
So what you gonna do? Restrict spoons?
It is definitely a parental supervision issue. Parents are responsible for the kids in all aspects…
Your stupid response makes me think you don’t understand the issue?
Have a read of this article and tell me that the parents are at fault.
link to abc.net.au
I hope you’re not a medical doctor.
“Have you ever seen a child swallow a pair of scissors?”
You haven’t met my youngest daughter… 🤣
Kidding aside – my point here is that nobody is that the AirTag’s aren’t designed as children’s toys, just like the AirPods aren’t, and countless other products sold at an office supply store (such as scissors).
Sure, it’s far easier to ‘secure’ a treadmill from children than to ensure that an AirTag isn’t misplaced somewhere within child’s reach. Especially since Apple selected not to put a simple darn keyring hole on them…
Nooo, how could I be? I just hacked a random hospital archive for those x-ray images…
But afraid not, I do not deal with adults… All are idiots.
and working in a children’s hospital, nobody can stop me from remaining infantile…
There are two safety warning stickers on the Tread+. They say things such as “Misuse of this equipment may result in serious injury or death”, “Unplug the treadmill and remove the safety key when not in use”, “Always store the safety key away from the treadmill and out of the reach of children”, “Children under 16 may not use the treadmill”, “Keep children and pets away from the treadmill at all times”.
I guess reading is way over-rated. And so is parenting.
Agree, but peleton made their bed with this one by ignoring it and fighting back about it instead of simply saying people should turn it off or offer a pin entry.
Hopefully this knocks down their arrogance a bit
Ray… The reddit forums were wondering if they still stop making new content for tread given it looks a little odd to be running some something you just recalled
The current schedule shows classes continuing (live ones). For example, there’s one in about 90 minutes (see attached).
It’s not actually recalled though, is it? They’ve offered three options of which Ray detailed two. Full refund and return the device (which will no doubt be sold on, potentially with a fix), move the device to somewhere safe, or do nothing and act like a grown up. My money is on 99.999% of their users deciding that option 3 is for them, after all most didn’t see it as an issue in the first place, and they certainly don’t want to return their device and have nothing to replace it (option 1). I guess 5-10 people might get the device moved, but realistically most users weren’t dumb enough to place it in the nursery in the first place.
So why cancel the classes? The usage won’t go down from this.
Peloton treadmills are no different from all the others. The movie shown is hard to watch and thank goodness, the child was not hurt……but where in #$%^ were the parents? No way those little children should be using that treadmill(turned on and running) without a parent nearby. Many parents lack simple common sense.
100% agree, but this is the society we are living in today. We have a culture, world wide but especially in the USA, where everything that is wrong in your life is someone else’s fault.
Every treadmill could do this, its not a peloton problem. I don’t own a peloton but have a different much cheaper treadmill. I have young kids, they are never left alone with the treadmill. I have stood there and watched my 2 year old get on the treadmill and plug in the magnet key then punch it up to 7mph. I was watching my kid an pulled her off, but wanted to see if she could do it. I am not a perfect parent, my kids get hurt sometimes when I am not fully attentive. My daughter tripped in the driveway the other day, I am not suing the asphalt company or new balance shoes for her scraped ankle.
That McDonald’s law suit on hot coffee back in the day is ruining the world! LOL
On the newer bike+
We have the original Tread. Got it less than a year ago. I called them today and they are picking it up on Saturday and refunding our purchase.
What will you get instead? The treadmill industry doesn’t offer many good options from what I can see.
(not aimed at you, you just inspired the thought) It just occured to me that a lot of original Tread users could use this to get a full refund so they can upgrade. It’ll be the best second hand price anywhere! Also people who never really used it get a nice easy way out with full refund and the heavy machine picked up for free, that’s a win!
We haven’t used it since January. It’s not easy or possibly not legal to resell a recalled device. A refund is the best option IMHO since we don’t find much use for it.