Peleton users may be vulnerable to hackers accessing their information.
In an exclusive NBC News report, software security company McAfee's Advanced Threat Research Team confirmed it exposed a vulnerability in the Peleton Bike+, which allowed hackers to install malware through a USB port and fake versions of popular apps like Netflix and Spotify to obtain riders' information.
Users would be especially vulnerable to attacks when using a Peleton Bike+ bike in a public setting, such as a hotel or gym, according to the report.
"The flaw was that Peloton actually failed to validate that the operating system loaded," said Steve Povolny, head of the McAfee threat research team, via NBC News. "And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam."
Povolny said "interactive maps" online showing Peleton bikes and treadmills in the United States give attackers easy access to find targets in public spaces and eventually gain access to their account.
Hackers can then upload a "completely customized malicious image," which would give the attackers access to the rider's microphone, camera and apps.
"Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information," Povolny said.
Peleton confirmed it was notified of the issue by McAfee engineers "via our Coordinated Vulnerability Disclosure program" and said it was working with the security company to fix the problem in a statement obtained by NBC News.
McAfee officials said they contacted Peleton about three months ago and received a response within a couple of weeks.
"McAfee reported a vulnerability to us that required direct, physical access to a Peloton Bike+ or Tread to exploit the issue," Peleton said in a statement. "Peloton also pushed a mandatory update to affected devices last week that addressed this vulnerability."
Experts told NBC News that any device capable of connecting to the internet is vulnerable to hackers obtaining personal data.