Any user or attacker with Internet access could query the APIs directly and obtain volumes of PII.

Broken object level authorization

Once an attacker had discovered the endpoint URL, they still needed to figure out how to make authorized requests for data. This is where the second flaw came into play – broken object level authorization (OWASP A2:2019). The Peloton APIs exposed a great deal of sensitive information about users, instructors, classes and locations that was not protected by any form of access control mechanism such as role-based access control (RBAC), attribute-based access control (ABAC) or data flow analysis based on threat models
https://t.co/TPuxEIsasA