Lemonade co-founder Shai Wininger is denying accusations from an activist short seller that the insurer’s website has a serious security vulnerability.
Muddy Waters Capital claims in a May 13 open letter to CEO Daniel Schreiber that it discovered the vulnerability while doing “fundamental business research,” allegedly discovering an “unforgivably negligent security” flaw that may expose customers’ personal information.
“Muddy Waters Capital LLC is short Lemonade because it is clear that Lemonade does not [care] about securing its customers’ sensitive personal information,” the firm alleged.
Wininger, in a series of tweets, denied the accusation, defending Lemonade’s system as safe and working as intended.
“Lets set things straight up front: What [Muddy Waters] found were links to 4 insurance quotes shared by Lemonade users themselves. (aka, they loved it so much, they shared ’em),” Wininger, who is also the company’s president and chief operating officer, wrote on Twitter. “That’s not a vulnerability, it’s by design!”
A Lemonade spokesperson explained further via email that the company designed its quotes to be shareable “so anyone can share their quote with their family, friends, or mortgage bank.”
The company cited a specific example of this, at https://www.reallygoodux.io/blog/lemonade-user-onboarding).
Muddy Waters disagreed, asserting that Google and Bing “have inadvertently accessed the site and indexed customer [personal information].
“By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers’ accounts without having to provide any user credentials whatsoever,” the letter claimed. “This vulnerability appears to have existed since at least July 2020, yet it is detectable through an industry standard off-the-shelf security system that costs $400 per year.”
Muddy Waters alleges that the issue reflects a “callous indifference to security” and could suggest “costly legal and regulatory breaches.”
Back on Twitter, Wininger said that “Since Google indexes Pinterest and blogs, these links end up being discoverable on Google,” underscoring his assertion that nothing questionable is going on.
“I hope you didn’t spend too much time on this,” Wininger added in his response to Muddy Waters.
Schreiber retweeted Wininger’s remarks.
Muddy Waters’ letter follows Lemonade’s 20201 first quarter earnings call on May 12. The company lost $49 million up from a $36.5 million net loss the year before, though it continued increasing premiums written and its customer base.
Lemonade’s stock appeared unaffected by the Muddy Watters remarks. The company’s stock closed at $64.72 on May 13, up more than 7.5 percent from the previous day, and it continued inching higher in after-hours trading.