Lemonade Denies “Unforgivably Negligent” Security Gaffe

Insurtech company Lemonade has refuted claims put forward by a short seller that it has an "unforgivably negligent security flaw" on its website.

Muddy Waters Research LLC alleges that a vulnerability exists on Lemonade's website that could potentially expose customers' personally identifiable information. 

The investor claims that it was able to log in to and edit Lemonade customer accounts without having to enter any user credentials. 

In an open letter to Lemonade CEO Dan Schreiber dated May 13, Muddy Waters CEO Carson Block wrote that the vulnerability was "so gaping" that search engines including Google, Bing, and the Wayback Machine have inadvertently accessed the site and indexed PII belonging to Lemonade customers.  

"By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers' accounts without having to provide any credentials whatsoever!" wrote Block.

According to Muddy Waters, the flaw appears to have existed since at least July 2020, "yet it is detectable through an industry standard off-the-shelf security testing application that costs $400 per year."

Block wrote that "it is clear that Lemonade does not give a f*ck about securing its customers' sensitive personal information."

Lemonade denied the existence of a security flaw and said that no security breach had taken place. 

 "We’ll try to make this short," Lemonade told Infosecurity Magazine. "What Muddy Waters Research found were links to four insurance qu ..

Support the originator by clicking the read the rest link below.