Lemonade, Inc. LMND
Muddy Waters is short Lemonade after discovering a critical session-fixation flaw that exposed customer PII to Google's index — a negligence that shatters Lemonade's 'trustworthy' digital-native brand.
Thesis
Muddy Waters Capital publishes an open letter to Lemonade CEO Dan Schreiber disclosing a Stored Session Fixation vulnerability on Lemonade.com so severe that Google, Bing and the Wayback Machine inadvertently indexed logged-in customer accounts, exposing personally identifiable information since at least July 2020. Carson Block argues the flaw — which would score a CVSS 10 and is detectable by a $400/year off-the-shelf scanner — demonstrates callous indifference to security at a company that markets itself as a trustworthy, digital-native insurer. The breach potentially violates GDPR, the California Consumer Privacy Act and New York's 23 NYCRR Part 500 cybersecurity rules, creating material legal and regulatory liability. Muddy Waters rejects coordinated disclosure, demands Lemonade take the site offline until verified remediation, and questions what other corners a company this careless has cut.
SCQA
Lemonade markets itself as a digital-native, AI-first insurer with no legacy systems, trading on the promise that its technology stack makes it more trustworthy and secure than incumbent carriers.
Muddy Waters accidentally discovered a Stored Session Fixation vulnerability allowing anyone to log into customer accounts via public search engines — a CVSS-10 flaw open since July 2020 despite being trivially detectable.
Muddy Waters demands Lemonade immediately take its site, APIs and app offline until a qualified third party verifies remediation, and notify every affected customer plus relevant regulators.
Short thesis: exposure to GDPR, CCPA and NY 23 NYCRR 500 liability, reputational collapse of the 'trustworthy digital insurer' narrative, and further scrutiny of Lemonade's overall operational quality.
The three reasons
- 1
Lemonade's site leaks customer PII — Google, Bing and Wayback Machine have indexed user accounts
- 2
Stored Session Fixation flaw scores CVSS 10 (critical); all customers since July 2020 at risk
- 3
Likely violations of GDPR, CCPA and NY 23 NYCRR 500 expose Lemonade to significant liability
Primary demands
- Take Lemonade.com offline immediately and fix the Stored Session Fixation vulnerability
- Investigate the scope of the security failure and notify all potentially impacted customers
- Shut down website, APIs, and mobile application until remediation is verified by a qualified third party
- Stripe should consider disengaging from integrated systems and monitor for fraud
KPIs cited
Pattern membership
Where this document fits across the library's 12 rhetorical / structural patterns.
Precedents cited
- Equifax data breach (2017)
- SolarWinds breach
- Colonial Pipeline breach
- The Friendly Bear short report on Lemonade (Dec 2020)
Notable slides (3)
Notes
Open letter to CEO Dan Schreiber signed by Carson Block of Muddy Waters Capital. Word-style business letter, no slides. Pages 4-9 consist almost entirely of screenshots/evidence of the vulnerability that have been fully redacted (rendered as solid black boxes) in this released version — Muddy Waters presumably blacked out exploit details before publication to avoid giving attackers a roadmap. Contains profanity ('does not give a fuck') — unusually aggressive even for Block. Cites Carson Block's personal Equifax lawsuit as motivation. References competing short-seller 'The Friendly Bear' Dec 2020 report as supporting evidence. Thesis is security/negligence driven rather than accounting fraud — atypical for Muddy Waters playbook.