Last night, the Internet learned that Patreon fired their entire security team, abruptly.
We also learned that the primary motivation was outsourcing.
People digging into this story have also reported that Patreon has also been cutting their security vendors for months and there was no clear motivation for the layoffs.
InfoSec Twitter’s response to this news was overall measured and appropriate given past experience with dysfunctional companies and the narrative contradictions we’ve already observe.
Not everyone has been calm and focused in their reactions, and I’ve been asked by several people whether or not they should delete their Patreon accounts in response to this news.
In light of both observations, I’d like to take a moment to explain:
- What we actually know, and what the risks are based on that knowledge.
- Why I ultimately chose to delete my Patreon account.
- Alternative platforms that artists and creators may want to migrate onto.
But before that, let me briefly introduce myself to people who aren’t regular readers of my blog. Feel free to skip that section if you don’t care.
Who Are You, Soatok?
I’m a furry blogger who also happens to work as a security engineer for the cryptography team at a large technology company.
You might have seen some of my posts float across technology news sites, occasionally.
I’m also known for making SwiftOnSecurity publicly cringe.
As a result of both my profession and my hobby, I maintain a modernized fork of the open source PHP library for Patreon’s API. My only interest in doing so was to make it easier for artists and technologists to secure their own widgets that integrate with Patreon.
Why Does This Matter?
Through my career (which I try, in almost all circumstances, to keep separate from my hobbies), I’ve been directly responsible for reviving security teams after total staffing shortages before–albeit not as a result of layoffs, so I still had some institutional knowledge (and limited access to the employees with the relevant undocumented muscle memory; who had transferred to other teams in the same company).
Rebuilding from zero without that? Good luck.
What We Actually Know About Patreon Laying Off Their Entire Security Team
- Patreon did actually lay off an entire Security Team
- Ellen Satterwhite, Patreon’s Interim Head of Communications & US Policy Lead, claims this was a result of a “strategic shift” of a portion of their security program
- Ellen also stated that Patreon relies on external organizations to assess their security against industry standards
- Patreon leadership has been public bragging about how little they were financially impacted by the COVID-19 pandemic
That’s all we know, for certain, to be true at this time.
- Patreon has allegedly been cutting security vendors for the past 4 months; which would likely undermine the confidence of their external organizations
- Employees have told reporters that there “was no clear reason for the layoffs and recent performance reviews had gone well” (also in previous link)
Until these allegations are examined further and reinforced with more evidence, as compelling as they might seem, we cannot consider them facts.
- How did this Team fit into the larger Patreon organizational chart?
- Was this entire Security Team also the entire Security Organization, or just a smaller group?
- What was the primary scope of responsibility for the Security Team that got axed by corporate leadership?
- Was the reported termination also part of a larger group of layoffs?
We don’t know the answer to any of these questions at this time.
What Are the Risks, Based on the Above?
Most of InfoSec twitter that has commented on this issue seem to agree that this is a canary warning about a bigger issue.
There is also some speculation in security back-channels that Patreon is in a similar situation to Equifax’s in 2017, but that remains to be seen.
More pressingly, a lot of people have expressed concern over the security of payment and/or payment card information.
I can sympathize where people are coming from, but there’s little reason for alarm on this specific point.
- Patreon outsources most of their risk to Stripe and PayPal. They don’t process payments themselves.
- Even if the limited access Patreon has to your financial accounts is leveraged by an attacker, there’s sufficient audit trails to reverse any unauthorized transactions.
Our financial systems are designed to tolerate an optimally non-zero amount of fraud. Even if we assume that firing an entire Security Team would result in an overall reduction in security for Patreon, your risk calculus shouldn’t change much.
Risk: Supporter Deanonymization
Attackers would, generally speaking, be far more interested in the blackmail potential for subscriber information. After all, a lot of Patreon pledges go to support NSFW and kink content creators.
While there’s nothing wrong with kink, sexuality, pornography, or sex work, many people aren’t in a position to comfortably and shamelessly live their best lives.
This means threatening to reveal their Patreon pledges to their family, local community, or employer may be sufficient to extort a few cyberbucks out of them. Why even bother with ransomware at that point?
Risk: Foolish Leadership
As stated above, firing an entire Security Team means removing any possibility of retaining critical institutional knowledge and muscle memory necessary for operational and security excellence within the scope of that Team’s responsibility.
In plain terms: This is a boneheaded business decision on the best of days.
While it’s possible that there are other factors at play that resulted in this decision being the least bad outcome for the company, none of those factors are good to begin with.
In the coming months, I’d encourage Patreon users to at least pay careful attention to any news stories about security breaches or ill-advised mergers/acquisitions that pre-date September 8, 2022.
Why I Deleted My Patreon Account
This was not a knee-jerk reaction. Rather, it was a deliberate and calculated decision in response to new information.
However, my primary motivation is a bit tricky to articulate, so bear with me for a minute.
The most valuable currency of any long-term business is trust.
Trust is easy to lose and hard to earn. The primary way companies can earn trust is through transparency, consistency, and fairness.
- If you lack transparency, you will always look like you’re hiding something.
- If you lack consistency, people won’t know what to expect, and will default to caution.
- If you lack fairness, people will develop a negative opinion of you, which means they will never trust you; even if only out of spite.
There’s definitely more to trust than that, but these are essential elements.
Firing an entire Security Team without warning undermines my ability to trust Patreon. This fails all three components I outlined above.
- Transparency: It was reportedly unclear to the employees why this happened
- Consistency: This isn’t typical behavior for Patreon
- Fairness: Laying off an entire Security Team is difficult to justify (and none was given, so…)
My other motivation is solidarity with the laid-off employees.
I cannot, in good conscience, financially support a company that treats their security teams this way.
I’m personally less concerned about my financial information (which was scoped down to “granted revocable permission to my PayPal account”) or the risk of blackmail attempts (anyone who doesn’t know I’m a furry is generally someone whose opinion I won’t lose sleep over souring if they find out).
However, my risks are not your risks. If you’re likely impacted by either outcome, adjust accordingly.
How Can We Still Support Creators Without Patreon?
Ultimately, the onus will be on the creator to accept recurring donations from more platforms in order to continue your support.
For the furry fandom, at least, most of us already have a Ko-fi account. Did you know Ko-fi has a monthly subscription feature too?
One Patreon alternative I’ve seen used a lot is SubscribeStar (which has a separate system for NSFW content).
There are also several listicles of Patreon alternatives floating around the Internet. I don’t have any strong opinions on most of them.
Should You Delete Your Patreon Account?
That’s entirely up to you. I’m not your boss.
If you do decide that Patreon is risky or untrustworthy for their poor decisions, you may want to delete your Patreon account.
However, it’s also okay if you decide differently than I did.
How Can I Delete My Patreon Account?
If you want to delete your account:
- Cancel your memberships
- Feel free to link to this blog post in the “reason” field
- Remove your payment information
- (For creators): Unpublish your Patreon page
- Make a privacy request for account deletion
It’s not completely straightforward, but it’s tractible.
This blog post, like literally everything else published on this blog, is the sole opinion of a computer nerd that presents as a talking blue cartoon canid on the Internet.
I do not represent any company (especially my employer) in any capacity.
I hope by tackling this topic with balance and nuance, everyone is able to calmly make the best decision for themselves and their personal risk profile.
This post first appeared on Dhole Moments - Software, Security, Cryptography, And The Furry Fandom, please read the originial post: here