Insurtech company Lemonade has refuted claims put forward by a short seller that it has an “unforgivably negligent security flaw” on its website.
Muddy Waters Research LLC alleges that a vulnerability exists on Lemonade’s website that could potentially expose customers’ personally identifiable information.
The investor claims that it was able to log in to and edit Lemonade customer accounts without having to enter any user credentials.
In an open letter to Lemonade CEO Dan Schreiber dated May 13, Muddy Waters CEO Carson Block wrote that the vulnerability was “so gaping” that search engines including Google, Bing, and the Wayback Machine have inadvertently accessed the site and indexed PII belonging to Lemonade customers.
“By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers’ accounts without having to provide any credentials whatsoever!” wrote Block.
According to Muddy Waters, the flaw appears to have existed since at least July 2020, “yet it is detectable through an industry standard off-the-shelf security testing application that costs $400 per year.”
Block wrote that “it is clear that Lemonade does not give a f*ck about securing its customers’ sensitive personal information.”
Lemonade denied the existence of a security flaw and said that no security breach had taken place.
“We’ll try to make this short,” Lemonade told Infosecurity Magazine. “What Muddy Waters Research found were links to four insurance quotes shared by Lemonade users themselves (aka, they loved it so much, they shared ’em).
“That’s not a vulnerability. We designed our quotes to be shareable, so anyone can share their quote with their family, friends, or mortgage bank.
“Turns out some people also like to brag about their quotes on Pinterest and UX blogs. Here’s an example: https://reallygoodux.io/blog/lemonade-user-onboarding. Since Google indexes Pinterest and blogs, these links end up being discoverable on Google, and Muddy Waters discovered them.”
They added: “We truly hope the folks over at Muddy Waters Research didn’t spend too much time on this.”
Muddy Waters went public with its report of an alleged security flaw before privately informing Lemonade of its intentions.