An activist short seller has written a letter to the chief executive of insurance giant Lemonade with details of an “accidentally discovered” security flaw that exposes customers’ account data.
Carson Block, founder of investment research firm Muddy Waters Research, sent the letter to Lemonade co-founder and chief executive Daniel Schreiber on Thursday, describing the bug that allowed anyone to inadvertently access personally identifiable data from customers’ accounts as “unforgivably negligent.”
Block’s letter said: “By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers’ accounts without having to provide any user credentials whatsoever.”
Lemonade launched in 2015 and offers renters’, homeowners’ and pet insurance policies across the U.S. and Europe. The company went public last year and saw its shares rocket by more than 130% on the day of its initial public offering. Lemonade this week reported a $49 million quarterly loss, deeper than what Wall Street was expecting.
The bug was co-discovered by Muddy Waters Research and Wolfpack Research, Block said. In a tweet, Wolfpack lead analyst Reed Sherman said one of Muddy Waters’ security experts “was able to send me a PDF of my renter’s insurance policy less than 15 minutes after this was first discovered.”
Block told TechCrunch that his firm is shorting the company’s stock, per his letter, “because it is clear Lemonade does not give a fuck about securing its customers’ sensitive personal information.” Block said in his letter that Lemonade should “shut down its website, APIs, and mobile application” until the issue is fixed, which he says may date back to July 2020.
Block published his letter to Lemonade with redactions as to not give away specific details of the bug. In a call, Block provided more details about the bug to TechCrunch in order to verify the vulnerability. One indexed search result let us log into a person’s Lemonade account and view their name, address, and quote details without ever asking for the user’s password.
A short time later, some of the indexed results stopped working. TechCrunch asked Lemonade for comment but did not hear back prior to publication. We’ll update when we do.
/ 34 mins ago
Fans all say the same thing after Neymar’s ‘disrespectul’ penalty for Brazil in World Cup last 16 clash vs South Korea
WORLD CUP fans were left confused by Kim Seung-gyu’s attempt to save Neymar’s penalty....
/ 35 mins ago
ITV smashing BBC in World Cup TV ratings war as staggering 20.4m tune in for England’s last 16 drubbing of Senegal
ITV smashed the BBC in their World Cup TV ratings war as a staggering...
/ 43 mins ago
Brazil fans pay touching tribute to Pele ahead of South Korea clash as World Cup legend watches from hospital
BRAZIL fans have paid a touching tribute to World Cup hero Pele after he...