Short seller says Lemonade website bug exposed insurance customers’ account data

An activist short seller has written a letter to the chief executive of insurance giant Lemonade with details of an “accidentally discovered” security flaw that exposes customers’ account data.

Carson Block, founder of investment research firm Muddy Waters Research, sent the letter to Lemonade co-founder and chief executive Daniel Schreiber on Thursday, describing the bug that allowed anyone to inadvertently access personally identifiable data from customers’ accounts as “unforgivably negligent.”

Block’s letter said: “By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers’ accounts without having to provide any user credentials whatsoever.”

Lemonade launched in 2015 and offers renters’, homeowners’ and pet insurance policies across the U.S. and Europe. The company went public last year and saw its shares rocket by more than 130% on the day of its initial public offering. Lemonade this week reported a $49 million quarterly loss, deeper than what Wall Street was expecting.

The bug was co-discovered by Muddy Waters Research and Wolfpack Research, Block said. In a tweet, Wolfpack lead analyst Reed Sherman said one of Muddy Waters’ security experts “was able to send me a PDF of my renter’s insurance policy less than 15 minutes after this was first discovered.”

Block told TechCrunch that his firm is shorting the company’s stock, per his letter, “because it is clear Lemonade does not give a fuck about securing its customers’ sensitive personal information.” Block said in his letter that Lemonade should “shut down its website, APIs, and mobile application” until the issue is fixed, which he says may date back to July 2020.

Block published his letter to Lemonade with redactions so as to not give away specific details of the bug. In a call, Block provided more details about the bug to TechCrunch in order to verify the vulnerability. One indexed search result let us log into a person’s Lemonade account and view their name, address and quote details without ever asking for the user’s password.

In a tweet, Lemonade’s president Shai Wininger said the bug is “not a vulnerability, it’s by design.” Yael Wissner-Levy, a spokesperson for Lemonade, also said that this was by design. A short time after the letter was made public, some of the indexed results stopped working.

Updated with comments from Lemonade.