Insurance company Lemonade said a website security flaw that exposed customer data is ‘by design.’

In an open letter to Lemonade CEO Dan Schreiber, Carson Block, founder of Muddy Waters Research, wrote the details of an “accidentally discovered” security flaw that exposes customers’ account data. 

Block explained that the vulnerability allowed anyone to access personally identifiable data from customers’ accounts, adding that the vulnerability was “so gaping” it allowed search engines including Google and Bing, to inadvertently access the site and index PII belonging to Lemonade customers. 

 “By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers’ accounts without having to provide any credentials whatsoever.” 

 The flaw is said to have existed since at least July 2020 and has been undetectable “through an industry standard off-the-shelf security testing application.”

Lemonade has denied the allegation, stating that the flaw is not a vulnerability but a design: “We designed our quotes to be shareable, so anyone can share their quote with their family, friends, or mortgage bank.”