An activist brief vendor has written a letter to the chief govt of insurance coverage big Lemonade with particulars of an “by accident found” safety flaw that exposes prospects’ account information.
Carson Block, founding father of funding analysis agency Muddy Waters Analysis, despatched the letter to Lemonade co-founder and chief govt Daniel Schreiber on Thursday, describing the bug that allowed anybody to inadvertently entry personally identifiable information from prospects’ accounts as “unforgivably negligent.”
Block’s letter mentioned: “By clicking on search outcomes from public search engines like google, we shockingly discovered ourselves logged in to and in a position to edit Lemonade prospects’ accounts with out having to offer any consumer credentials in any way.”
Lemonade launched in 2015 and presents renters’, householders’ and pet insurance coverage insurance policies throughout the U.S. and Europe. The corporate went public last year and noticed its shares rocket by greater than 130% on the day of its preliminary public providing. Lemonade this week reported a $49 million quarterly loss, deeper than what Wall Road was anticipating.
The bug was co-discovered by Muddy Waters Analysis and Wolfpack Analysis, Block mentioned. In a tweet, Wolfpack lead analyst Reed Sherman mentioned certainly one of Muddy Waters’ safety consultants “was in a position to ship me a PDF of my renter’s insurance coverage coverage lower than quarter-hour after this was first found.”
Block instructed TechCrunch that his agency is shorting the corporate’s inventory, per his letter, “as a result of it’s clear Lemonade doesn’t give a fuck about securing its prospects’ delicate private info.” Block mentioned in his letter that Lemonade ought to “shut down its web site, APIs, and cellular software” till the problem is mounted, which he says could date again to July 2020.
Block printed his letter to Lemonade with redactions as to not give away particular particulars of the bug. In a name, Block offered extra particulars in regards to the bug to TechCrunch so as to confirm the vulnerability. One listed search end result allow us to log into an individual’s Lemonade account and examine their title, tackle, and quote particulars with out ever asking for the consumer’s password.
A short while later, among the listed outcomes stopped working. TechCrunch requested Lemonade for remark however didn’t hear again previous to publication. We’ll replace after we do.