Patreon Fires its Security Team — and the Internet Freaks Out

Patreon, the notorious membership monetization platform, laid off its entire security team yesterday. Just like that. Ouch.

The firm, which is still doing business in Russia, simply calls it “a strategic shift” (which seems to be corporate mumbo-jumbo for “cheaper outsourcing”). But infosec experts call it a “nightmare” caused by an “untrustworthy” company that’s “just put a massive target on its back.”

And there’s an unsubstantiated rumor that Patreon has been hacked again. In today’s SB Blogwatch, we hope it’s not as bad as 2015’s blackmail-fest.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jack Conte is an idiot.

Not OK, Jack

What’s the craic? Amanda Perelli reports—“Patreon has laid off … its security team”:

Patreon receives a percentage
[It’s] “part of a strategic shift of a portion of our security program,” the company said. … The subscription platform is popular among content creators such as podcasters and YouTubers, and it lets them connect with their fans directly and charge a monthly fee for exclusive content. … It has more than 250,000 creators and more than 8 million patrons.

Patreon receives a percentage — between 5% and 12% — of the income creators earn from their members. It also charges payment processing fees when subscribers make a purchase and payout fees when funds are moved from the platform to the creator’s bank.

The entire team? Connor Jones is almost entirely sure—“Patreon confirms it ‘parted ways’ with its ‘entire’ cyber security team”:

No longer with the company
Patreon has confirmed the reports … saying that it will now outsource much of the security to external organisations. … “We also partner with a number of external organisations to continuously develop our security capabilities and conduct regular security assessments to ensure we meet or exceed the highest industry standards. The changes made this week will have no impact on our ability to continue providing a secure and safe platform.”

The spokesperson for Patreon said the departing employees did not constitute its entire security team, however, they declined to specify what this meant. … Security and privacy engineer, and former senior security engineer at Patreon Emily Metcalfe, confirmed: … “I and the rest of the Patreon Security Team are no longer with the company,” she said.

Which sounds pretty “entire” to everyone else. For one, Matt Milano has no such qualms—“Patreon Just Let Its Entire Security Team Go”:

It’s hard to imagine
Patreon may have just put a massive target on its back. … Only time will tell if Patreon’s reliance on “external organizations” will be enough to maintain … security.

Even with its external partnerships … it’s hard to imagine a company of Patreon’s significance letting its own internal security team go.

Perhaps we’ll soon wake up from a bad dream? @TechstepWatkins hopes so:

This is the sort of thing that pops up in my nightmares. … Most likely situation I guess is that they’re outsourcing security to the cloud, which kinda just ****s over a bunch of qualified security professionals and opens you up to being targeted during the transition.

What should you do? Musubi seems to speak for many:

Account deletion request is in. **** keeping any personal information on a website that seems not that pressed about keeping it safe.

Is that entirely fair? Soatok nuances it up:

You may want to delete your Patreon account
I deleted my Patreon account. … This was not a knee-jerk reaction. Rather, it was a deliberate and calculated decision in response to new information: … Patreon fired their entire security team [and] the primary motivation was outsourcing [but it] has allegedly been cutting security vendors for the past 4 months.

I’ve been directly responsible for reviving security teams after total staffing shortages before—albeit not as a result of layoffs, so I still had some institutional knowledge. … Rebuilding from zero without that? Good luck.

The most valuable currency of any long-term business is trust. … Firing an entire Security Team without warning undermines my ability to trust Patreon. … My other motivation is solidarity with the laid-off employees. [But] I’m not your boss. If you do decide that Patreon is risky or untrustworthy … you may want to delete your Patreon account.

But not everyone is against the idea. For example, @ProfXponent:

If your core competency isn’t security, you are better off outsourcing it. This isn’t really controversial at all. Sucks for the people who got laid off, but they will prob have new jobs by the end of the month.

Interestingly, there’s a rumor this is punishment for the team letting a hack happen. b0afc375b5 shares anecdotal evidence:

Leaked my credit card info
Anecdote: A few months ago … I decided to support someone at Patreon and to do that I had to enter my credit card details. A few days later there were fraudulent purchases on Alibaba charged to my card. I immediately called the bank, had my credit card frozen, reversed the transactions, and requested a new card.

I have a strong suspicion that it was Patreon that leaked my credit card info. … It was the only unusual payment I made—the usual being electric/internet bills, food delivery, etc.

Meanwhile, @KevinCollier sounds slightly sarcastic:

Fortunately, it’s not like Patreon handles payments from millions of active monthly users. So it’s unlikely they’ll be a big target for hackers.

And Finally:

Patreon CEO admits he’s an idiot—but argues it’s a good thing

CW: F-bombs and random scatology

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: K.C. Green

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi