According to a post on McAfee’s blog, the team reported this issue to Peloton a few months ago and the companies began working together to develop a patch. The patch has since been tested, confirmed to be effective on June 4, and began rolling out last week. Typically, security researchers wait until vulnerabilities have been patched until announcing the issue.
The exploit made it possible for hackers to use their own software loaded via USB thumb drive to manipulate the Peloton Bike+ operating system. They would be able to steal information, set up remote internet access, install fake apps to trick riders into providing personal information, and more. Bypassing the encryption on the bike's communications was also a possibility, making other cloud services and accessed databases vulnerable.