Lemonade Data Breach: Website Bug Exposes Customer Info - Short Seller Report

Security Flaw Allegedly Exposes Lemonade Customer Data

A short seller activist has brought to light a potential security issue at Lemonade, a prominent insurance company. A letter detailing the flaw was sent to the company’s chief executive, outlining how customer account data may be compromised.

Details of the Discovered Bug

Carson Block, the founder of Muddy Waters Research, authored the letter to Daniel Schreiber, Lemonade’s co-founder and CEO. He described the discovered bug as “unforgivably negligent,” as it seemingly allowed unauthorized access to personally identifiable information.

According to Block’s communication, accessing customer accounts was surprisingly easy. He stated that clicking on search results from public search engines led to being logged in and able to edit accounts without any login credentials.

Lemonade's Background and Recent Performance

Lemonade, established in 2015, provides insurance policies for renters, homeowners, and pet owners across the United States and Europe. The company’s initial public offering last year saw a significant surge in share value, increasing by over 130% on its debut day.

However, recent financial reports indicate a quarterly loss of $49 million, exceeding Wall Street’s expectations.

Joint Discovery and Rapid Verification

The security flaw was reportedly co-discovered by Muddy Waters Research and Wolfpack Research. Reed Sherman, lead analyst at Wolfpack Research, shared on Twitter that a security expert from Muddy Waters was able to obtain a PDF of his renter’s insurance policy within 15 minutes of the initial discovery.

Short Selling Position and Call for Action

Block revealed that his firm is currently shorting Lemonade’s stock. He expressed a belief, detailed in his letter, that the company does not prioritize the security of its customers’ sensitive personal information.

He urged Lemonade to immediately “shut down its website, APIs, and mobile application” until the issue is fully resolved, suggesting the vulnerability may have existed since July 2020.

Bug Details and Lemonade's Response

Block strategically redacted specific details of the bug in his published letter to avoid revealing exploitable information. He later provided TechCrunch with further details to verify the vulnerability.

One example involved an indexed search result that allowed access to a person’s Lemonade account, displaying their name, address, and quote details without requiring a password.

Lemonade’s president, Shai Wininger, countered the claims, stating the issue is “not a vulnerability, it’s by design.” Yael Wissner-Levy, a Lemonade spokesperson, echoed this sentiment.

Following the public release of Block’s letter, some of the problematic indexed search results were reportedly deactivated.

This article has been updated to include comments from Lemonade.